Consumer Privacy and Identity Theft

8/23/2019 Consumer Privacy and Identity Theft

1/161

ThetConsumerandPrivacy

A Summary o

Key Statutes and

Guide or Lawmakers

Caliornia Senate Ofce o Research

2008 Edition


2/161


3/161

Saskia Kim

Caliornia Senate Ofce o Research

Agnes Lee, Director n 3rd Edition n January 1, 2008

A Summary o Key Statutes and Guide or LawmakersThet

ConsumerandPrivacy


4/161


5/161

Contents

Introduction 7

The Constitution and General Privacy

Overview 11

Constitutional Right to Privacy 12

Constructive Invasion o Privacy 14

Invasion o Privacy: Common Law Tort . 14

Invasion o Privacy: Penal Code 15

Preemption 16

Credit Cards

Overview 21

Activation Process Required or Substitute Credit Cards 21

Change o Address and Credit Card Requests 22

Credit Card or Debit Card Numbers Printed on Receipts 24

Disclosure o Minimum Payment Amount 25

Fraudulent Use o Inormation (Skimming) 26

Preprinted Checks: Disclosures 26

Recording Credit Card Numbers on Checks 27

Recording Personal Inormation on Credit Card

Transaction Forms 27

Verication o Credit Applicants Address 27

Credit Reporting

Overview 33

Credit Reporting 34Investigative Consumer Reporting Agencies 37

Security Alerts 38

Security Freezes 40


6/161

Data Security

Overview 43

Destruction o Business and Medical Records 44

Notication o Breach in Data Security 46

Personal Inormation: Reasonable Security Procedures 47

Financial Privacy and Related Issues

Overview 51

Account Numbers 52

Debt Collection 52

Financial Privacy . 53

Insurance Inormation and Privacy Protection Act 55

Insurers: Genetic Testing 56

Identity Thet

Overview 59

Crime o Identity Thet 60

Debt Collection Activities 61

Deceptive Identication Documents 61

Department o Justice Identity Thet Victim Database 62

Falsely Obtaining Department o Motor Vehicles Documents 62

Identity Thet Victims Right to Free Credit Reports 63Issuance o a Search Warrant 64

Judicial Determination o Innocence 64

Jurisdiction or Prosecuting Identity Thet Crime 64

Law Enorcement Investigation Required 65

Right to Bring Legal Action Against a Creditor 65

Right to Obtain Records o Fraudulent Transactions

or Accounts 66

Statute o Limitations 67

Youth in Foster Care: Request or Credit Report . 68

Marketing

Overview 71

Aliate Marketing 72


7/161

Cell Phone Directory: Opt in Required 73

Credit Card Solicitations 73

Direct Marketing: Medical Inormation 73

Disclosure o Alumni Names and Addresses 74Disclosure o Personal Inormation to Direct Marketers 75

Marketing to Children Under 16 Years o Age 75

On-Campus Marketing: Credit Cards 76

Satellite and Cable Television Subscribers 76

Supermarket Club Card Disclosure Act o 1999 77

Telecommunications: Residential Subscriber Inormation 77

Telemarketing: Do Not Call Registry 78

Telephone Consumer Protection Act o 1991 . 79

Unsolicited Commercial E-mail Messages (Spam) 79

Unsolicited Text Messages 81

Medical Privacy

Overview 85

Medical Privacy 86

Oce o HIPAA Implementation 92

Patient Access to Medical Records 92

Retention o Patient Records 93

Online Privacy and Related Issues

Overview 97

Anti-Phishing Act o 2005 98

Childrens Online Privacy Protection Act 98

Computer Spyware 99

Online Privacy Policy 99

Posting Personal Inormation on the Internet 100

State Agency Collection o Personal Inormation

on the Internet 101

Unauthorized Access to Computers, Computer Systems,

and Data 101


8/161

US SAFE WEB Act 102

Wireless Network Security 102

Public Records

Overview 105

Birth and Death Record Indices 106

Birth and Death Records: Condential Inormation 107

Birth and Death Records: Release o Records 107

Court Records: Personal Inormation o Victims

and Witnesses 108

Court Records: Sealing Inormation Regarding Financial

Assets and Liabilities 108

Department o Motor Vehicles Records 109

Drivers License Inormation: Swiping Licenses 110

Drivers Privacy Protection Act o 1994 110

Inormation Practices Act o 1977 111

Marriage License Inormation 112

Privacy Act o 1974 112

Public Records: Address Condentiality 112

Public Records Act 113

State Agencies: Mailing Personal Inormation 114

State Agencies Privacy Policies 114

State Agency Databases: Researcher Access 115

Voter Inormation 115

Voter Inormation: Outsourcing 117

Social Security Numbers

Overview 121

Condentiality 122County Recorders Records 123

Court Records 124

Drivers Licenses 124

Employee Compensation 125


9/161

Family Court Records . 125

Franchise Tax Board Liens 125

Local Agencies Records 126

Powers o Attorney 126

Secretary o State Filings . 126

Use by Colleges and Universities 128

Use in Credit Reports 128

Other Key Statutes

Overview 131

Criminal Investigation Inormation 132

Eavesdropping on Condential Communications 132

Electronic Communications Privacy Act o 1986 133

Electronic Surveillance Technology: Rental Cars 133

Electronic Tracking Devices on Vehicles . 134

Identication Devices: Forced Human Implants 134

Oce o Inormation Security and Privacy Protection 134

Personal Inormation: Domestic Violence, Sexual Assault,

and Stalking 135

Personal Inormation: Inmate Access 136

Pretexting 137

Real ID Act o 2005 138

Student Records 141

Taxpayer Inormation 142

Unair Competition Law 142

Vehicle Event Data Recorders 143

Video Image Evidence: Parking Enorcement 143

Video Sale or Rental 144

Index 147


10/161


11/161

For the seventh year in a row, identity thet tops the Federal Trade

Commissions list o top 10 consumer complaints The most common orm oreported identity thet is credit card raud, ollowed by phone or utilities raud,

bank raud, and employment raud And among the 50 states, Caliornia ranks

third in identity thet victims per capita, ater Arizona and Nevada

Social security numbers are the most requently used recordkeeping numbers

in the nation, and because they can be used to assume another persons

identity, they are one o the three most sought ater pieces o inormation (in

addition to names and birth dates) by identity thieves

Both the US Supreme Court and Caliornia Supreme Court issued rulings in

2007 that aect consumers (and even state employees in particular, see Public

Records Act on page 113) and their privacy rights Federal agencies also

issued nal rules last year that implement consumer protection statutes

In Caliornia, lawmakers approved measures that, to highlight just a ew,

restrict how social security numbers are displayed in many public records;prohibit the orced human implantation o identication devices that can

transmit personal inormation; and extend the states rst-in-the-nation

breach-notication law, which now requires that a consumer must be notied

i his or her medical inormation has been breached

These and numerous other state and ederal laws are eatured in this years

edition oConsumer Privacy and Identity Thet (Readers are encouraged to

consult the statutory texts or more detail, and please note that all citations to

the Fair Credit Reporting Act include amendments to the act contained in the

Fair and Accurate Credit Transactions Act o 2003 [FACTA])

Consumers will begin to eel the impact o these new state and ederal laws

this year, as many went into eect on January 1, 2008

Introduction


12/161


13/161

The Constitution and

General Privacy


14/161


15/161

Overview

n Caliornia is one o only ten states whose state constitutions

expressly recognize a right to privacy1 The US Constitution,however, does not contain an explicit right to privacy; the US

Supreme Court has instead held that the ederal constitution

implicitly recognizes an individuals right to privacy with respect

to certain rights For example, the First Amendment saeguards an

individuals reedom o expression and association, and the Fourth

Amendment protects an individual against unreasonable search and

seizure Yet these rights only protect against intrusive governmental

activities Caliornias constitution, on the other hand, has beeninterpreted by the courts to protect against both governmental and

private entities

n In addition to constitutional protections, Caliornia has enacted

statutory provisions saeguarding the general privacy o individuals

For instance, Caliornia law provides or civil liability or the

constructive invasion o privacy and imposes criminal penalties or

certain kinds o privacy invasions, such as unauthorized wiretappingand electronic eavesdropping Caliornia courts have also recognized

the tort o invasion o privacy that allows an injured party to bring

a lawsuit seeking redress The Caliornia Supreme Court recently

considered this issue in a case in which an academic researcher

was alleged to have misrepresented her position to obtain sensitive

personal inormation

n The ability o states to act to protect privacy is also critical Preservingthe states long-standing ability to enact laws relating to consumer

privacy and identity thet has become a signicant issue as Congress

1 National Conerence o State Legislatures,Privacy Protections in State Constitutions, http://www.ncsl.org/

programs/lis/privacy/stateconstpriv03.htm.



16/161

has increasingly included preemption provisions in proposed ederal

legislation Furthermore, ederal regulatory agenciessuch as the

Oce o the Comptroller o the Currency and the Oce o Thrit

Supervisionhave taken a broadly preemptive view o the powerso ederally chartered nancial institutions that has implicated

some privacy-related issues And both state and ederal courts have

invalidated some state laws on the basis that ederal law preempts

state action in various instances

n To provide a better understanding o the ramework in which state law

operates, this report outlines how specied ederal laws impact state

statutes, although it is important to note that whether a state law ispreempted by ederal law is ultimately an issue decided by the courts2

In some cases, courts have invalidated Caliornia law on the basis o

preemption; these instances are noted in this report In other cases,

although ederal law may contain provisions that arguably preempt

Caliornia law, the courts have yet to rule on the matter As a result,

the extent and practical eect o the particular preemption provision

is not yet known

2 Related to this point, the Caliornia Constitution prohibits state administrative agencies rom declaring a statute

unenorceable or reusing to enorce a statute on the basis that it is preempted by ederal law or ederal

regulations unless an appellate court makes a determination that the statute is preempted by ederal law or

regulations. [Caliornia Constitution, Article I, Section 3.5.]

Constitutional Right to PrivacyCalifornia Law

State law species in the Caliornia Constitution that all people have an

inalienable right to pursue and obtain privacy [Caliornia Constitution,

Article I, Section 1] The right o privacy was added to the constitution

by initiative (Proposition 11) in November 1972

Consumer Privacy and Identity Thet


17/161

Caliornias constitution gives Caliornians greater privacy protections than

those recognized by the US Constitution For example, whereas ederal

protections apply only to government action, Caliornias right to privacy

protects individuals rom actions by both the government and private entities

[See, eg, American Academy o Pediatrics v. Lungren(1997) 16 Cal 4th 307,

326, citing Hill v. National Collegiate Athletic Association(1994) 7 Cal 4th 1,

15-20]

The Caliornia Supreme Court has held that the Caliornia Constitution in and

o itsel creates a legal and enorceable right o privacy or every Caliornian

[White v. Davis(1975) 13 Cal 3d 757, 775] To successully assert a claim or

invasion o ones constitutional right to privacy, a plainti must establish

the ollowing three elements: (1) a legally protected privacy interest, (2) areasonable expectation o privacy in the circumstances, and (3) conduct by the

deendant that constitutes a serious invasion o privacy [Hill, 7 Cal 4th at 39-40;

Pioneer Electronics (USA), Inc. v. Superior Court(2007) 40 Cal 4th 360]

I a plainti establishes these three elements, the deendant may prove that the

invasion o privacy is justied because it urthers legitimate and important

competing interests [Hill, 7 Cal 4th at 38] In Hill, the Caliornia Supreme Court

explained this balancing test: Invasion o a privacy interest is not a violationo the state constitutional right to privacy i the invasion is justied by a

competing interest [Id]

Federal Law

Federal law does not contain an express right to privacy in the US

Constitution Instead, the US Supreme Court has recognized an individuals

right to privacy implicit in the constitution with respect to certain rights For

example, the Court has recognized First Amendment saeguards or reedom

o expression and association and Fourth Amendment protections against

unreasonable search and seizure [See, eg, Griswold v. Connecticut(1965)

381 US 479; Katz v. United States(1967) 389 US 347] The Court has also

recognized a limited constitutional right to inormational privacy [Whalen



18/161

v. Roe(1977) 429 US 589] In these cases, individuals are protected against

intrusive governmental activities

Constructive Invasiono PrivacyCalifornia Law

State law provides civil liability or the constructive invasion o privacy when a

deendant attempts to capture, in a manner oensive to a reasonable person,

any type o visual image, sound recording, or other physical impression o an

individual engaging in a personal or amilial activity The individual must have

had a reasonable expectation o privacy in the circumstances, and the image,

recording, or impression must have been obtained through a visual or auditory

enhancing device and could not have been obtained without a trespass unless

the device was used [Caliornia Civil Code Section 17088(b)]

Invasion o Privacy:Common Law TortCalifornia Law

State law provides civil liability or invasion o privacy under the common

law While ull treatment o this common law tort is beyond the scope o this

overview, our types o activities are considered an invasion o privacy, giving

rise to civil liability:

1 Intrusion upon the plaintis seclusion or solitude or into his or her private

aairs;2 Public disclosure o private acts about the plainti;

3 Publicity that places the plainti in a alse light in the public eye; and

4 Misappropriation, or the deendants advantage, o a persons name or

likeness [William L Prosser, Privacy, 48 Cal L Rev 383, 389 (1960) See



19/161

also, Restatement (Second) o Torts, Sections 652A-652E and 5 Witkin,

Summary o Cal Law Torts (10th ed) Torts, Section 651]

However, not every kind o conduct appearing to all within one o the our

categories noted above gives rise to a common law cause o action or invasiono privacy Instead, courts generally consider whether the conduct in question

is highly oensive to a reasonable person, considering, among other

things, the degree o the intrusion, the context, conduct and circumstances

surrounding the intrusion, as well as the intruders motives and objectives,

the setting into which he [or she] intrudes, and the expectations o those

whose privacy is invaded [Hill, 7 Cal 4th at 25-26, citing Miller v. National

Broadcasting Co. (1986) 187 Cal App 3d 1463, 1483-1484]

An injured plainti may recover damages or an invasion o privacy violation

[Metter v. Los Angeles Examiner(1939) 35 Cal App 2d 304, 310]

In February 2007 the Caliornia Supreme Court considered an invasion

o privacy case in which an academic researcher was alleged to have

misrepresented her position to obtain sensitive personal inormation In this

case, the court held that the researcher could be held liable in an invasion-o-

privacy lawsuit or improperly intruding into private matters but dismissed theplaintis other privacy-related claims [Taus v. Lotus(2007) 40 Cal 4th 683]

Invasion o Privacy:Penal CodeCalifornia Law

State law prohibits the invasion o privacy with the intent to protect

Caliornians right to privacy [Caliornia Penal Code Section 630 et seq]

Among other things, these statutes contain criminal penalties or unauthorized

wiretapping, electronic eavesdropping, intercepting cellular telephone

communications, and electronic tracking o individuals, except as specied



20/161

6

PreemptionFederal Law

The doctrine o ederal preemption provides that congressional action

pursuant to an enumerated, or specic, power may override state laws There

are three tests the courts reer to when deciding whether ederal regulation

preempts state law: (1) express preemption, in which Congress, through

explicit statutory language, restricts the ability o states and localities to

legislate in specic areas, (2) eld preemption, in which Congress occupies

the eld, and (3) confict preemption, in which it is impossible or an entity

to comply with both state and ederal law at the same time or where state law

stands as an obstacle to the congressional purpose o the ederal law [Gade v.National Solid Waste Management Association(1992) 505 US 88, 98]

Even where preemption is ound, the court must still determine the precise

extent o the preemption There has been heightened interest in the issue o

preemption in general, as Congress has increasingly included preemption

provisions in proposed ederal legislation, and ederal regulatory agencies

have also increasingly taken a broad view o the powers o ederally chartered

nancial institutions

For example, the Fair Credit Reporting Act (FCRA) preempts state action

in certain matters On this point it is important to note that the preemption

language included in FCRA, as amended by the Fair and Accurate Credit

Transactions Act o 2003 (FACTA), varies depending on the specic FCRA

provision, as FACTA introduced a dierent, and arguably narrower, orm o

preemption Some preemption provisions, or instance, arguably appear quite

narrow, only precluding states rom enacting requirements with respect to the

conduct required by specic provisions o FCRA [Fair Credit Reporting Act

Section 625(b)(5), 15 USC 1681t]

In other cases, states are preempted rom enacting any requirement or

prohibition with respect to any subject matter regulated under a specied



21/161

provision [Fair Credit Reporting Act Section 625(b)(1), 15 USC 1681t] While

the conduct required preemption standard appears to be narrower than the

subject matter regulated standard, it is important to note that the scope o

these preemption provisions has not yet been tested in court

Increasingly, some ederal regulatory agencies have also taken a broad

view o the powers o the ederally chartered entities they regulate, which

has implicated some privacy-related issues3 For example, the Oce o

the Comptroller o the Currency, which regulates national banks under the

National Bank Act (12 USC 21 et seq), issued a nal rule in 2004 identiying

the types o state laws that are preempted with respect to ederally chartered

banks and their operating subsidiaries4 The rule provides that, except where

made applicable by ederal law, state laws that obstruct, impair, or condition

a national banks ability to ully exercise its lending or deposit-taking powers

are preempted Under the rule, a state law does not apply to a national bank i

the law obstructs, impairs, or conditions the banks ability to ully exercise its

powers to conduct ederally authorized activities [12 CFR Parts 7 and 34]

The nal rule issued by the Oce o the Comptroller o the Currency also

identies those state laws that are not preempted with respect to a national

banks deposit-taking, lending, or other powers granted to it by ederal law

These include state laws regarding contracts, rights to collect debt, torts, and

property transers to the extent that they only incidentally aect the exercise

o a national banks power in the area The Oce o the Comptroller o the

Currency retains the ability to determine whether a particular state law is

preempted (and thereore does not apply to a national bank or its operating

subsidiaries) on a case-by-case basis [12 CFR Parts 7 and 34]

3 Federal regulations within the power o the issuing agency may preempt state law; the U.S. Supreme Court

has stated that ederal regulations have no less pre-emptive eect than ederal statutes. [Fid. Fed. Sav. &

Loan Assn v. de la Cuesta(1982) 458 U.S. 141, 153.] The Court also noted: Pre-emption may result not onlyrom action taken by Congress itsel; a ederal agency acting within the scope o its congressionally delegated

authority may pre-empt state regulation. [La. Public Serv. Com v. FCC (1986) 476 U.S. 355, 369.]4 In April 2007 the U.S. Supreme Court held that state laws do not apply to a national banks mortgage lending

activities, whether those activities are conducted by the bank itsel or the banks operating subsidiary. [Watters

v. WachoviaBank, N.A. (2007) 127 S. Ct. 1559, 1564.] Instead, national banks and their operating subsidiaries

such as mortgage companies that operate as subsidiaries o national banksare subject to exclusive regulation

by the Oce o the Comptroller o the Currency and not to the licensing, reporting, and visitorial regime o

the state in which the subsidiary operates. [Id. at 1564-1565.] The Court noted that certain state laws that do

not confict with the purpose o the National Bank Act are applicable to national banks. These include state laws

regarding usury, contracts made by national banks, and acquisition and transer o property by national banks.

[Id. at 1567.]



22/161

8

The Oce o Thrit Supervision, which regulates ederal savings associations

under the Home Owners Loan Act o 1933 (12 USC 1461 et seq), has also

promulgated regulations that preempt state law purporting to address the

subject o the operations o a Federal savings association [12 CFR Part

5452] Regulations issued by the Oce o Thrit Supervision urther state thatthe oce occupies the entire eld o lending regulation or ederal savings

associations [12 CFR Part 5602]

The regulations issued by the Oce o the Comptroller o the Currency and the

Oce o Thrit Supervision have both been interpreted to preempt Caliornia

Civil Code Section 174813, which requires credit card issuers to include

a warning statement and other specied inormation regarding minimum

payments in billing statements provided to cardholders [American Bankers

Association v. Lockyer(2002) 239 F Supp 2d 1000]

None o the above-described regulations are directed specically to a states

ability to enact laws protecting consumer privacy or addressing identity thet

issues, nor do the regulations appear grounded in hostility toward the states

interest in these areas Instead, they deal more generally with the powers

o a ederally chartered institution The regulations may, however, have a

preemptive eect i state laws regarding consumer privacy or identity thet are

ound to interere improperly with the operations o the ederally chartered

institutions regulated by these agencies

Other ederal agencies also take an active role in consumer privacy and identity

thet protections For example, the Federal Trade Commission (FTC) is charged

with preventing unair methods o competition and unair or deceptive acts or

practices in interstate commerce [15 USC 45 et seq] Several other statutes

also orm the basis or the FTCs authority in protecting consumers, including

the GrammLeachBliley Act (15 USC 6801 et seq), Fair Credit Reporting Act(15 USC 1681 et seq), and Childrens Online Privacy Protection Act (15 USC

6501 et seq)



23/161

Credit Cards


24/161


25/161

Activation Process Requiredor Substitute Credit CardsCalifornia Law

Under state law, a credit card issuer may not issue a substitute credit card

unless the cardholder is required to contact the issuer to activate the credit

card beore using it [Caliornia Civil Code Section 174705]

Overview

nBoth state and ederal law regulate credit cards In 2003, or example,

Congress passed the Fair and Accurate Credit Transactions Act

(FACTA), which amended the Fair Credit Reporting Act (FCRA) FACTA

contains provisions relating to requirements that a credit card issuer

must meet when responding to a request or a change o address

And ederal agencies recently issued a nal rule implementing these

requirements Caliornia law also contains similar provisions

nWhile both FACTA and FCRA contain provisions preempting state

action, the specic preemption language varies and, in several cases,

ederal regulations are necessary beore ederal law may be ully

implemented Furthermore, whether or not these provisions preempt

state law has yet to be tested in court As a result, the exact reach o

FACTA and FCRA preemption is not yet known

Credit Cards


26/161

Change o Address and CreditCard Requests

California LawState law requires a credit card issuerwhen the issuer receives a change-o-

address request rom a cardholder as well as a replacement credit card request

within 60 daysto send a change-o-address notice to the cardholder at his or

her previous address This notice must be sent within 30 days in other specied

instances [Caliornia Civil Code Section 17991b(a)]

The notice may be given by telephone or e-mail communication i the credit

card issuer reasonably believes it has the current telephone number or e-mail

address o the cardholder who requested the address change I the notication

is provided in writing, however, it may not include the cardholders account

number, social security number, or other personal identiying inormation

although it may contain the cardholders name, previous address, and new

address o record [Caliornia Civil Code Section 17991b(c)]

When a credit card issuer receives a request to change a cardholders billing

address and a request or an additional credit card within 10 days, the issuing

company is prohibited rom activating the card or mailing a new card until it

has veried the address change [Caliornia Civil Code Section 174706(c)]

Federal Law

The ederal Fair Credit Reporting Act (FCRA), as amended by the Fair and

Accurate Credit Transactions Act o 2003 (FACTA), required the Federal Trade

Commission, National Credit Union Administration, and specied nancial-

institution agencies to issue regulations on this matter [Fair Credit Reporting

Act Section 615(e), 15 USC 1681m] In July 2006 the agencies issued



27/161

proposed regulations and a nal rule was issued in October 20075 The nal

rule is eective January 1, 2008, and covered nancial institutions and other

entities must be in compliance by November 1, 2008

The nal rule includes Red Flag regulations, which are intended to identiypatterns, practices, and specic orms o activity that indicate the possible

existence o identity thet

The nal rule requires specied nancial institutions and creditors to

implement a written Identity Thet Prevention Program, which must contain

policies and procedures to detect, prevent, and mitigate identity thet related

to the opening o an account or any existing account These policies and

procedures must: (1) identiy relevant Red Flags and incorporate them into the

program, (2) detect Red Flags that have been incorporated into the program,

(3) respond appropriately to any Red Flags that are detected to prevent and

mitigate identity thet, and (4) ensure the program is updated periodically to

refect changes in identity thet risks

Under the nal rule, i a credit card or debit card issuer receives notication

o an address change or an existing account and receives a request or an

additional or a replacement card or the same account within at least 30

days ater the change-o-address notication is received, the card issuer maynot issue the replacement or the additional card until the issuer noties the

cardholder or has otherwise assessed the validity o the change o address

in accordance with the policies and procedures established under its Identity

Thet Prevention Program

Any written or electronic notication given by the card issuer pursuant to

these requirements must be clear and conspicuous and provided separately

rom other regular correspondence with the cardholder And a card issuer

must provide a cardholder with a reasonable means or promptly reporting

incorrect address changes when the issuer noties the cardholder o the

request or an additional or replacement card

5 Identity Thet Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act o 2003,

12 C.F.R. Part 41, 12 C.F.R. Part 222, 12 C.F.R. Parts 334 and 364, 12 C.F.R. Part 571, 12 C.F.R. Part 717, and 16

C.F.R. Part 681 (2007).

Credit Cards


28/161

Congress preempted states rom enacting any requirement or prohibition

with respect to the conduct required by these specic provisions [Fair Credit

Reporting Act Section 625(b)(5)(F)] This provision thereore preempts state

laws only to the extent o the conduct required The scope o this preemption

language as applied to the nal rule has yet to be tested in court As a result,

the extent and practical eect o the preemption provision is not yet known

Credit Card or Debit CardNumbers Printed on ReceiptsCalifornia Law

Under state law, any person who accepts credit cards or debit cards or

payment may not print more than the last ve digits o the credit card or

debit card account number or the expiration date on a receipt provided to

the cardholder The prohibition applies only to electronically printed receipts

and does not apply to transactions in which the sole means o recording the

persons credit card number is by handwriting or an imprint or copy o the

card Beginning January 1, 2009, these restrictions are extended to any receipt

retained by the business as well [Caliornia Civil Code Section 174709]

Federal Law

Federal law contains a similar provision under the Fair Credit Reporting Act

(FCRA), as amended by the Fair and Accurate Credit Transactions Act o 2003

(FACTA) Specically, ederal law requires businesses to truncate credit card

and debit card numbers on electronic receipts issued at the point o sale Like

Caliornia law, FCRA prohibits the printing o more than the last ve digits

o the card number or expiration date on receipts provided to the cardholderThe ederal law also applies only to electronically printed receipts and does

not apply to transactions in which the sole means o recording the number

is by handwriting or an imprint or copy o the card [Fair Credit Reporting Act

Section 605(g), 15 USC 1681c(g)]



29/161

FCRA preempts state law requirements on this issue with respect to the

conduct required by the provision [Fair Credit Reporting Act Section

625(b)(5)(A), 15 USC 1681t]

Disclosure o MinimumPayment AmountCalifornia Law

While this state law is no longer enorceable, as described below, credit card

issuers were required to include a warning statement and other specied

inormation regarding minimum payments in billing statements provided to

cardholders [Caliornia Civil Code Section 174813] The warning statement

must say: Minimum Payment Warning: Making only the minimum payment

will increase the interest you pay and the time it takes to repay your balance

[Caliornia Civil Code Section 174813(a)(1)] The statute also requires credit

card issuers to provide inormation in billing statements regarding the length

o time it will take to pay o various balances i a cardholder pays only the

minimum amount [Caliornia Civil Code Section 174813(a)(2)]

These provisions were challenged by the American Bankers Association and

various banks on the basis that they were preempted by ederal banking laws

In American Bankers Association v. Lockyer, the trial court held that Caliornias

law was preempted in its entirety with respect to ederally chartered savings

and loans by the Home Owners Loan Act and related regulations issued by the

Oce o Thrit Supervision

As applied to national banks and ederal credit unions, the court ound that

mostbut not allo Caliornias law was preempted by the National Bank

Act, Federal Credit Union Act, and related regulations Specically, the

court ound that the minimum payment warning itsel [Caliornia Civil Code

Section 174813(a)(1)] was likely not preempted because it did not impose a

signicant burden on credit card issuers (any burden imposed was likely to be

de minimus)

Credit Cards


30/161

6

However, the court could not sever this provision so that it applied only to

national banks and ederal credit unions and not to ederally chartered savings

and loans regulated under the Home Owners Loan Act and Oce o Thrit

Supervision The court also ound that severing this provision would, in

eect, require it to rewrite the statute, thereby impermissibly intruding ona legislative unction As a result, the court held that the statute in its entirety

could not be enorced against ederally chartered credit card issuers [American

Bankers Association v. Lockyer(2002) 239 F Supp 2d 1000] Pursuant to

stipulation, the court later ordered that the statute also would not be enorced

against nonederally chartered credit card issuers [American Bankers

Association v. Lockyer(2003) 2003 US Dist LEXIS 4320]

Fraudulent Use o Inormation(Skimming)California Law

State law provides that any person who intends to deraud and knowingly and

willully uses a scanning device to access, read, obtain, memorize, or store

inormation encoded on the magnetic strip o a credit card, debit card, or other

payment card is guilty o a misdemeanor [Caliornia Penal Code Section 5026(a)]

Preprinted Checks: DisclosuresCalifornia Law

State law requires a credit card issuer who extends credit to a cardholder using

a preprinted check to disclose that the cardholders account will be charged i

the check is used; in addition, the issuer must indicate the annual percentage

rate and the nance charges that will be incurred and whether the nancecharges will be triggered immediately upon using the check [Caliornia Civil

Code Section 17489] In Rose v. Chase Manhattan Bank USA, N.A., the trial

court held that this provision was preempted by the ederal National Bank Act

(12 USC 21 et seq) and as a result cannot be enorced against national banks

[Rose v. Chase Manhattan Bank USA, N.A. (2005) 396 FSupp 2d 1116]



31/161

Recording Credit CardNumbers on Checks

California LawState law prohibits retailers, when a consumer pays or goods or services by

check, rom: (1) requiring the consumer to provide a credit card as a condition

o accepting the check, or (2) recording the credit cards number [Caliornia

Civil Code Section 1725]

Recording Personal

Inormation on Credit CardTransaction FormsCalifornia Law

Under state law, any person who accepts a credit card or payment may not

record the consumers personal identication inormation on the credit card

transaction orm, except as specied [Caliornia Civil Code Section 174708]

Verifcation o CreditApplicants Address

California Law

State law requires a credit card issuer who mails a credit card solicitation and,

in response, receives a completed credit card application that lists an address

dierent rom the one on the solicitation, to veriy the change o address bycontacting the person to whom the solicitation was mailed [Caliornia Civil

Code Section 174706(a)]

Under Caliornias Consumer Credit Reporting Agencies Act, any person who

uses a consumer credit report to extend credit must take reasonable steps to

Credit Cards


32/161

8

6 Identity Thet Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act o 2003,

12 C.F.R. Part 41, 12 C.F.R. Part 222, 12 C.F.R. Parts 334 and 364, 12 C.F.R. Part 571, 12 C.F.R. Part 717, and 16

C.F.R. Part 681 (2007).


veriy the accuracy o the consumers personal inormation i the rst and last

name, address, or social security number provided on the credit application

does not match, within a reasonable degree o certainty, the inormation listed

on the credit report [Caliornia Civil Code Section 1785203(a)]

Federal Law

Federal law contains related provisions under the ederal Fair Credit Reporting

Act (FCRA) Under FCRA, as amended by the Fair and Accurate Credit

Transactions Act o 2003 (FACTA), nationwide consumer reporting agencies

are required to notiy the requester o a credit report when the consumers

address contained in the request diers substantially rom the addresses in the

consumers le [Fair Credit Reporting Act Section 605(h), 15 USC 1681c]

FACTA required the Federal Trade Commission, National Credit Union

Administration, and specied nancial-institution agencies to issue regulations

providing guidance on reasonable policies and procedures a user o credit

reports should employ when the user receives a notice o an address

discrepancy In July 2006 the agencies issued proposed regulations and a nal

rule was adopted in October 20076 The nal rule is eective January 1, 2008,

and covered nancial institutions and other entities must be in compliance byNovember 1, 2008

The nal rule requires a credit report user to develop and implement

reasonable policies and procedures designed to enable the userwhen

a notice o an address discrepancy has been received by the userto orm

a reasonable belie that a consumer report relates to the consumer in question

The rule provides examples o reasonable policies and procedures, such as


33/161

9

comparing inormation contained in the report with inormation the user has

obtained and used to veriy the consumers identity in accordance with the

requirements o the Customer Identication Program (CIP) rules pursuant to

the USA PATRIOT Act [31 USC 5318(l)]

Although many FCRA provisions preempt the states only with respect to the

conduct required by specic provisions o the act, the preemption standard

or this provision is somewhat dierent: specically, states are preempted rom

imposing any requirement or prohibition with respect to any subject matter

regulated by FCRAs Section 605 regarding inormation contained in consumer

reports State laws in eect on September 30, 1996, are exempt [Fair Credit

Reporting Act Section 625(b)(1)(E), 15 USC 1681t]

Although the subject matter regulated standard would appear to be a

preemption standard with broader reach than the conduct required standard,

whether it preempts the above-described state law regarding verication o a

credit applicants address is ultimately a matter to be decided by the courts

At this time, the extent o this preemption provision has not yet been tested

in a court o law, thereore the preemptive eect o this FCRA provision is not

yet known

Credit Cards


34/161


35/161

Credit Reporting


36/161


37/161

Overview

nA credit report is a credit history about a particular consumer and

contains a great deal o inormation, including annual income;

outstanding debt; bill-paying history; the number, types, and age o

the accounts; current and previous addresses; social security number;

date o birth; telephone number; and, in some cases, employment

history, bankruptcies, oreclosures, and tax liens

nCredit reports are compiled by credit reporting agencies with

inormation rom various sources, such as utility or telephone

companies, banks, and companies that have granted credit to the

consumer There are dierent types o credit reporting agencies:

nationwide credit bureaus, such as Equiax, Experian, and TransUnion,

and specialty consumer reporting agencies, which compile reports

about consumers medical conditions, residential or tenant history,

check-writing history, employment history, and insurance claims The

companies sell the inormation contained in these reports to creditors,

insurers, employers, landlords, and other businesses with a legitimate

business need, as specied7 Credit reports are used by these entities

to evaluate a consumers application or credit, insurance, employment,

or a lease8

nA credit report can play an important role in determining whether

a consumer is able to obtain credit, secure employment, rent an

apartment, or acquire insurance As a result, both state and ederal

law regulate credit reporting agencies

nCredit reports also help guard against identity thet because they

oer consumers a way to monitor their credit histories and look or

7 See Fair Credit Reporting Act, 15 U.S.C. 1681b, or additional discussion.8 See Federal Trade Commission, Building a Better Credit Report, June 2006, http://www.tc.gov/

bcp/edu/pubs/consumer/credit/cre03.pd, and Privacy Rights Clearinghouse, How Private is My Credit Report?

October 2006, http://www.privacyrights.org/s/s6-crdt.htm.

Credit Reporting


38/161

potentially raudulent accounts Accordingly, both state and ederal

law provide consumers with access to their credit reports Most

recently, the Fair and Accurate Credit Transactions Act o 2003 (FACTA)

gave consumers the right to obtain one ree credit report rom each

nationwide credit reporting agency every year

nCaliornia was the rst state to give consumers the right to place a

security reeze on their credit reports, which blocks access to their

personal credit inormation This provision helps prevent identity thet

because credit cannot be extended without the consumers permission


Credit ReportingCalifornia Law

Caliornias Consumer Credit Reporting Agencies Act, the states counterpart

to the ederal Fair Credit Reporting Act (FCRA), regulates consumer credit

reporting agencies [Caliornia Civil Code Section 17851 et seq] Among other

things, the statute requires every consumer credit reporting agency to allow

a consumer, upon request and with proper identication, to visually inspect

all les pertaining to him or her that the agency maintains at the time o the

request The agency must identiy recipients who obtained the consumers

credit report within specied time periods, and disclose a record o all inquiries

within the preceding 12 months that identied the consumer in connection with

a credit transaction not initiated by the consumer [Caliornia Civil Code Section

178510]

A consumer may request that his or her name and address be excluded

rom any list provided by a credit reporting agency or rm oers o credit

[Caliornia Civil Code Section 178511(d)(1)] Similarly, a consumer may

also request that his or her name and address be removed rom lists that a

consumer credit reporting agency urnishes or credit card solicitations, and


39/161

this direction must be honored or a minimum o two years [Caliornia Civil

Code Section 1785118]

Existing state law also permits consumers to dispute inaccurate inormation

and requires a consumer credit reporting agency to reinvestigate disputed

inormation without charge [Caliornia Civil Code Section 178516]

A consumer credit reporting agency must delete rom a consumers credit

report all inquiries that the agency has veried were the result o identity

thet [Caliornia Civil Code Section 1785161] I a consumer submits a copy

o a valid police report or investigative report rom the Department o Motor

Vehicles, the agency must block inormation appearing on the consumer credit

report that is a result o identity thet [Caliornia Civil Code Section 178516(k)]

Caliornia law also places requirements on users o consumer credit reports:

any person who uses a consumer credit report to extend credit must take

reasonable steps to veriy the accuracy o the consumers personal inormation

i the rst and last name, address, or social security number provided on the

credit application does not match, within a reasonable degree o certainty,

the inormation listed on the credit report [Caliornia Civil Code Section

1785203(a)]

I the user o the consumer credit report has been notied that the applicant

has been a victim o identity thet, he or she may not lend money or extend

credit without taking reasonable steps to veriy the consumers identity and

conrm that the application is not the result o identity thet [Caliornia Civil

Code Section 1785203(b)]

Federal Law

The ederal Fair Credit Reporting Act (FCRA) provides consumers with one ree

credit report rom each nationwide consumer reporting agency in a 12-month

period, upon request [Fair Credit Reporting Act Section 612(a),15 USC 1681j,

Credit Reporting


40/161

6

as amended by the Fair and Accurate Credit Transactions Act o 2003 (FACTA),

Pub L 108-159, 117 Stat 1952]

Except as specied, ederal law requires a consumer reporting agency to

clearly and accurately disclose to a consumer:

1 All inormation in his or her le at the time o the request;

2 The sources o the inormation;

3 Identication o each person who obtained a consumer report during the

previous two years i the report was procured or employment purposes,

or the previous year i procured or any other purpose;

4 The dates, original payees, and amounts o any checks upon which an

adverse characterization o the consumer is based;

5 A record o all inquiries received by the credit reporting agency during the

preceding one-year period in which the consumer was identied with a

credit or insurance transaction that he or she did not initiate; and

6 A notice that the consumer also may request his or her credit score, i the

consumer originally only requested a copy o his or her credit le .

[Fair Credit Reporting Act Section 609(a), 15 USC 1681g]

Generally, a consumer is entitled to a notice when a company takes an adverse

action against the consumer, based on inormation contained in his or her

credit report [Fair Credit Reporting Act Section 615, 15 USC 1681m(a)] A

recent US Supreme Court decision sought to clariy this notice requirement

In Saeco Insurance Co. o America v. Burr; Geico General Insurance Co. v.

Edo, (2007) 127 S Ct 2201, the Court held that a consumers credit report

must have been a necessary condition or the higher rate oered (the adverse

action) Furthermore, the Court permitted a rst-time applicant or credit or

insurance to sue a company under the FCRA when the company must send the

consumer an adverse action notice and does not do so The Court also ruledthat companies may be held liable or willul violations o the FCRA when they

recklessly disregard the law

The FACTA amendments to FCRA permit a consumer to dispute inaccurate

inormation directly with the entity that urnished the inormation to the



41/161

consumer reporting agency; it also requires the entity to investigate the

disputed inormation in some circumstances [Fair Credit Reporting Act

Section 623(a)(8),15 USC 1681s-2]

I an entity determines that it provided inaccurate or incomplete inormation to

a consumer reporting agency, it must promptly notiy the agency and provide

accurate and complete inormation The entity also is required to notiy all

consumer reporting agencies that received the inormation o the correction

[Fair Credit Reporting Act Section 623(a)(2), 15 USC 1681s-2]

Federal law requires that, i the consumers le contains inormation

that resulted rom an alleged identity thet and the consumer provides

documentation supporting this claim, the consumer reporting agency isrequired to block the reporting o that inormation within our business days

and notiy the entity that supplied the inormation related to the identity thet,

as specied [Fair Credit Reporting Act Section 605B, 15 USC 1681c-2]

Additional signicant provisions o FCRA, as amended by FACTA, are described

in other summaries throughout this report

Investigative ConsumerReporting AgenciesCalifornia Law

State law regulates investigative consumer reporting agencies [Caliornia

Civil Code Section 1786 et seq] These agencies are dened as any person,

corporation, or other entity that collects, reports, or transmits inormation

concerning consumers or the purpose o providing investigative consumer

reports to third parties, as specied [Caliornia Civil Code Section 17862]

Investigative consumer reports may be given only to third parties the agency

believes is using the inormation or (1) employment purposes, (2) determining

Credit Reporting


42/161

8

a consumers eligibility or insurance, (3) leasing a residential unit, or (4) other

specied reasons [Caliornia Civil Code Section 178612]

Security AlertsCalifornia LawUnder state law, consumers may place a security alert on their credit reports

noting that their identity may have been used without consent to raudulently

obtain goods or services in the consumers names A consumer credit reporting

agency must place a security alert on the consumers credit reports within

ve business days ater receiving a request The agency must also notiy each

person who requests the credit inormation about the existence o the alert

The alert remains in place or at least 90 days, and consumers may renew the

alert Any person who uses the consumers credit report to approve credit and

who receives notice o the security alert may not lend money, extend credit, or

complete the purchase, lease, or rental o goods or services without rst taking

reasonable steps to veriy a consumers identity to ensure that the application is

not the result o identity thet [Caliornia Civil Code Section 1785111] See the

ederal discussion on page 39 or details on the possible preemptive eect o

FCRA

Federal Law

Federal law contains related provisions under the Fair Credit Reporting Act

(FCRA), as amended by the Fair and Accurate Credit Transactions Act o 2003

(FACTA), regarding nationwide consumer reporting agencies These provisions

permit a consumer to place one o three kinds o alerts on their credit les

maintained by nationwide agencies: (1) a raud alert, (2) an extended raud alert,

or (3) an active-duty alert The three alerts dier by what is required to initiate

them, the length o time they are imposed, and the limits that are imposed on

those who use a consumers report However, the consumer reporting agency

that receives any one o the three alerts must orward the pertinent inormation

to the other nationwide consumer reporting agencies This requirement allows



43/161

9

consumers to place an alert on their les with a call to only one nationwide credit

reporting agency [Fair Credit Reporting Act Section 605A, 15 USC 1681c-1]

A ederal raud alert lasts or 90 days, and consumers may place one on their

credit le i they suspect they areor are about to becomea victim o raudor a related crime, including identity thet Extended raud alerts remain in place

or seven years, and to place such an alert on their le, consumers must submit

an identity thet report Active-duty military personnel also may place alerts on

their credit reports or 12 months; pursuant to a rule issued by the Federal Trade

Commission, this period may be renewed i an individual receives an extended

deployment [Fair Credit Reporting Act Sections 605A(a)-(c), 15 USC 1681c-1;

Federal Trade Commission, 16 CFR Parts 603, 613, and 614]

All three ederal alerts must state that the consumer does not authorize

new credit, the issuance o an additional credit card, or any increase in a

credit limit on an existing account For raud and active-duty alerts, persons

or businesses who use the consumers report must utilize reasonable

policies and procedures to orm a reasonable belie that the user knows

the identity o the person making the request They may either contact the

consumer at a designated telephone number or take reasonable steps to

veriy the consumers identity and conrm that the application is not the

result o identity thet For an extended alert, however, they must contactthe consumer in person or use another method designated by the consumer

to conrm that the application is not the result o identity thet [Fair Credit

Reporting Act Section 605A(h), 15 USC 1681c-1]

Federal law regarding security alerts contains preemption provisions

Specically, Congress preempted states rom enacting any requirement or

prohibition with respect to the conduct required by the ederal security alert

provisions described above [Fair Credit Reporting Act Section 625(b)(5)(B),

15 USC 1681t] This provision may arguably preempt Caliornias security

alert law to the extent that it relates to the same conduct required under

ederal law However, states may be able to act where ederal law does not

impose a specic requirement While the scope o this preemption standard

has yet to be tested in court, in those areas where ederal law is silent with

respect to conduct required, a state remains ree to act

Credit Reporting


44/161

0

Security FreezesCalifornia Law

Under state law, a consumer may place a security reeze on his or her credit

report, which prohibits credit reporting agencies rom releasing the consumers

credit report or any inormation rom it without the consumers authorization 9

Certain specied entities may access a consumers credit report even i a

security reeze is in place, including law enorcement acting pursuant to a court

order or warrant, a child support agency, or the Franchise Tax Board

A consumer credit reporting agency must place a security reeze on a

consumers credit report within ve business days ater receiving a request;

the security reeze remains in place until the consumer requests its removal

Credit reporting agencies must send consumers a written conrmation o

the reeze and provide them with a unique personal identication number or

password to use to request the release o their credit inormation The reeze

may be temporarily lited by a consumer to grant access to the credit report by

a specic party or or a particular period o time

Credit reporting agencies may charge a consumer no more than $10 or each

security reeze, removal o the reeze, or a temporary lit o the reeze or a

specic time period, and no more than $12 or a temporary lit o the reeze or

a specic party; no ee may be charged to a victim o identity thet, as specied

[Caliornia Civil Code Section 1785112]

9 This provision was invalidated by the Court o Appeal, Second Appellate District, on First Amendment grounds as

applied to U.D. Registry (a credit reporting agency that provides consumer credit reports to landlords) becauseits reports are materially drawn rom public records. While the court ruled that Caliornia Civil Code Section

1785.11.2 was unconstitutional as applied to U.D. Registry (and could not be enorced against the company), the

court reused to hold that the statute was unconstitutional on its ace (which would have limited enorcement

against other credit reporting agencies). [U.D. Registry, Inc. v. State of California(2006) 144 Cal. App. 4th 405.]

U.D. Registry petitioned the Caliornia Supreme Court to grant review o the decision. This petition was rejected.

[U.D. Registry, Inc. v. State of California2007 Cal. LEXIS 3098 (Cal. Feb. 7, 2007).] In 2007 the Legislature

amended the statute to address the issues raised in U.D. Registry, Inc. v. State of Californiaby providing that a

credit reporting agency may disclose public record inormation it obtains lawully rom an open public record to

the extent permitted by law. [Caliornia Civil Code Section 1785.11.2(n).]



45/161

Data Security


46/161


47/161

Overview

nIn 2003 Caliornia became the rst state in the nation to require

companies and government agencies to notiy consumers when

there is a breach in the security o their personal inormation Since

that time, 37 other states and the District o Columbia have ollowed

Caliornias lead and enacted breach notication statutes10 Congress

is also considering whether to mandate that consumers must be

notied when the security o their personal inormation has been

breached

nAccording to the Privacy Rights Clearinghouse, more than 217 million

records containing sensitive personal inormation have been involved

in security breaches since February 200511

nNotiying consumers when the security o their personal inormation

has been breached can play an important role in identity thet

prevention For example, a consumer can decide to place a raud alert

or security reeze on his or her credit report, depending on the type o

inormation that was breached and who obtained access to it Such

quick action could prevent an identity thie rom obtaining new credit

in the consumers name

nCaliornias law requiring notication o security breaches has also

resulted in the publicsand lawmakersheightened interest in data

security For instance, both state and ederal law impose security

requirements on businesses when they destroy customer records

Caliornia law also requires businesses to implement and maintain

reasonable security procedures to protect the personal inormation

they own or license

10 Consumers Union, Notice o Security Breach State Laws, August 21, 2007, http://www.consumersunion.

org/campaigns/Breach_laws_May05.pd.11 For a listing o data breaches, see Privacy Rights Clearinghouse, A Chronology o Data Breaches,

http://www.privacyrights.org/ar/ChronDataBreaches.htm. This listing is updated regularly.

Data Security


48/161

Destruction o Businessand Medical Records

California Law

State law requires businesses, when disposing o customer records, to take all

reasonable steps to destroy personal inormation in the records by shredding,

erasing, or otherwise modiying the personal inormation so it is unreadable or

undecipherable The law denes customer as an individual who provides

personal inormation to a business or the purpose o purchasing or leasing

a product or obtaining a service rom the business [Caliornia Civil Code

Sections 179880 and 179881]

Under the statute, personal inormation is dened broadly to mean any

inormation that identies, relates to, describes, or is capable o being

associated with a particular individual In this instance, personal inormation

includes the individuals name, signature, social security number, physical

characteristics or description, address, telephone number, passport number,

driver's license or state identication card number, insurance policy number,

education, employment, employment history, bank account number, credit cardnumber, debit card number, or any other nancial inormation [Caliornia Civil

Code Section 179880]

Caliornias Condentiality o Medical Inormation Act also contains provisions

saeguarding the destruction and disposal o medical records The act requires

health care providers, health care service plans, pharmaceutical companies,

and contractorswhen destroying or disposing o medical recordsto do so in

a manner that preserves the condentiality o the inormation contained in the

records [Caliornia Civil Code Section 56101]



49/161

Federal Law

Federal law includes provisions relating to the destruction o business records,

but more narrowly addresses the issue As described on the opposite page,

Caliornia law concerns all personal inormation contained in customer records

Yet ederal law only relates to consumer reports or inormation derived rom

such reports or a business purpose, and its requirements are imposed only on

users o those reports

Under the ederal Fair Credit Reporting Act (FCRA) and a related nal rule

issued in June 2005 by the Federal Trade Commission, businesses and

individuals must properly dispose o such inormation by taking reasonable

measures to protect against unauthorized access to, or use o, the inormation

when it is disposed The law applies to anyone who uses consumer reports and

applies to inormation obtained rom a consumer reporting agency that is used,

or is expected to be used, in establishing a consumers eligibility or credit,

employment, or insurance, among other things, as dened under FCRA [Fair

Credit Reporting Act Section 628, 15 USC 1681w; Federal Trade Commission,

16 CFR Part 682]

FCRA preempts state law requirements with respect to the conduct required

by its document-destruction provision [Fair Credit Reporting Act Section

625(b)(5)(I), 15 USC 1681t]

Under FACTA, Congress preempted states rom enacting any requirement

or prohibition regarding the conduct required by specic provisions This

language arguably allows states to act where ederal law does not impose a

specic requirement The extent and practical eect o the FACTA preemption

provisions are not yet known It also is noteworthy that because Caliornia

law is broaderapplying to more than just inormation obtained rom credit

reports and more than just persons or entities who use these reportsthe

preemptive eect o FCRA on the state law described on the opposite page

may be limited

Data Security


50/161

6


Notifcation o Breachin Data Security

California LawState law requires state agencies and businesses that own or license

computerized data containing personal inormation to disclose any breach

o the systems security to a Caliornia resident whose unencrypted personal

inormation was, or is reasonably believed to have been, acquired by an

unauthorized person The disclosure must be made in the most expedient

manner and without unreasonable delay (although the notication may be

delayed i a law enorcement agency determines it will impede a criminal

investigation)

State agencies and businesses that maintain, but do not own, computerized

data that includes personal inormation are required to notiy the owner or

licensee o the inormation o any data security breach immediately ollowing

the discovery i personal inormation was, or is reasonably believed to have

been, acquired by an unauthorized person

The statutes dene personal inormation to mean an individuals rst name

or rst initial and last name in combination with one o the ollowing, when

either the name or the data elements are not encrypted: (1) social security

number, (2) drivers license or Caliornia identication card number,

(3) account, credit, or debit card number in combination with a security code or

password that would permit access to the individuals nancial account,

(4) medical inormation, or (5) health insurance inormation Personal

inormation does not include inormation publicly available rom ederal, state,

or local government records State agencies and businesses must provide


51/161

notice to consumers using either written notice, electronic notice, or substitute

notice, as specied12 [Caliornia Civil Code Sections 179829 and 179882]

Personal Inormation:Reasonable Security ProceduresCalifornia Law

Under state law, a business that owns or licenses personal inormation about

a Caliornia resident must implement and maintain reasonable security

procedures and practices appropriate to the nature o the inormation to protect

the inormation rom unauthorized access, destruction, use, modication, or

disclosure Similar requirements apply when a business discloses inormation

about a Caliornia resident pursuant to a contract with a nonaliated third

party [Caliornia Civil Code Section 1798815]

The statute denes personal inormation to mean an individuals rst name

or rst initial and last name in combination with one o the ollowing, when

either the name or the data elements are not encrypted: (1) social security

number, (2) drivers license or Caliornia identication card number, (3) account,

credit, or debit card number in combination with a security code or password

that would permit access to the individuals nancial account, or (4) medical

inormation Personal inormation does not include inormation that is publicly

available rom ederal, state, or local government records The section does not

apply to nancial institutions, health care providers, or other specied entities

[Caliornia Civil Code Section 1798815]

Data Security

12 Although there is no ederal statutory law specically on this issue, several ederal agencies have issuedguidance on security breaches under the Interagency Guidance on Response Programs or Unauthorized

Access to Customer Inormation and Customer Notice. The guidance is intended to clariy the responsibilities

o nancial institutions under ederal laws and interpret requirements o GrammLeachBliley. The guidance

addresses unauthorized access to, or use o, customer inormation that could result in substantial harm or

inconvenience to a customer. The guidance also includes standards or when a nancial institution should

provide notice to customers when sensitive inormation is accessed without authorization. State laws not

inconsistent with GrammLeachBliley are not preempted. [Oce o the Comptroller o the Currency, 12 C.F.R.

Part 30; Federal Reserve System, 12 C.F.R. Parts 208 and 225; Federal Deposit Insurance Corporation, 12 C.F.R.

Part 364; and Oce o Thrit Supervision, 12 C.F.R. Parts 568 and 570, http://www.occ.treas.gov/consumer/

Customernoticeguidance.pd.] GrammLeachBliley generally provides that state laws that are more protective

o consumers privacy are not inconsistent. [15 U.S.C. 6807.]


52/161


53/161

Financial Privacyand Related Issues


54/161


55/161

Overview

nCaliornia led the nation in enacting the Financial Inormation

Privacy Act, which gives consumers more control over their personal

nancial inormation than what is currently granted by ederal law

The act gives consumers the ability to control the sharing o their

nonpublic personal inormation by requiring a nancial institution

to obtain a consumers consent beore it may share the inormation

with a nonaliated third party This is commonly known as an

opt in because a nancial institution may not share a consumers

inormation unless he or she opts to share it Federal law, however,

subjects the sharing o personal inormation with nonaliated

third parties to an opt out so that, as long as the consumer does

not opt out, a nancial institution may share his or her inormation

with nonaliated third parties Federal law allows states to provide

consumers with greater privacy protections; thereore, with respect

to sharing with nonaliated third parties, Caliornia law controls

nCaliornia law also subjects the sharing o nonpublic personal

inormation with aliates to an opt out, whereas ederal law does not

place restrictions on aliate sharing The validity o this section o

Caliornias nancial privacy law is presently beore the courts and

is described in more detail on page 53

nBoth state and ederal law regulate the practice o debt collection and

impose restrictions on threatening or harassing behavior



56/161

Account Numbers California Law

State law prohibits a nancial institution rom reusing a checking or savingsaccount number until at least three years have passed since a previous account

using that same number was closed [Caliornia Financial Code Section 4100]

Debt CollectionCalifornia Law

Caliornias Rosenthal Fair Debt Collection Practices Act regulates third-partydebt collectors in a manner similar to the ederal law described below State

law also prohibits any threats, harassment, or various alse or misleading

representations, and limits the amount o inormation about a debtor that a

collector may reveal to a third party Furthermore, the act allows debtors to

bring an action or actual damages against a debt collector who has violated

the statute The protections o this act also apply to businesses [Caliornia Civil

Code Section 1788 et seq]

Federal Law

The business practices o third-party debt collectors are regulated under the

ederal Fair Debt Collection Practices Act Among other things, the act requires

a debt collector to make an initial disclosure to the debtor that the collector is

attempting to collect a debt and that any inormation obtained will be used or

that purpose Federal law also prohibits any threats, harassment, or various

alse or misleading representations, and limits the amount o inormation about

a debtor that a collector may reveal to a third party The ederal act specically

allows or state regulation regarding debt collection practices, provided that

state laws are not inconsistent with ederal law State laws may give consumers

greater protection than ederal law [Fair Debt Collection Practices Act, 15 USC

1692 et seq]



57/161

13 For descriptions o opt in and opt out, see page 51.14 The restriction on sharing with aliates was challenged by the American Bankers Association, Financial

Services Roundtable, and Consumer Bankers Association on the basis that it was preempted by the Fair Credit

Reporting Act (FCRA). The U.S. Court o Appeals or the Ninth Circuit agreed and directed the U.S. District Court

to determine the scope o the preemption. [Am. Bankers Assn v. Gould, 412 F.3d 1081.] In October 2005 the

district court issued its ruling that no part o this provision survives preemption and enjoined the state rom

enorcing the aliate-sharing restrictions to the extent they are preempted by FCRA. The court made clear in

its ruling, however, that other provisions o Caliornias nancial privacy law still stand. [Am. Bankers Assn v.

Lockyer, 2005 U.S. Dist. LEXIS 22437.] In November 2005 the attorney generals oce led a notice o appeal

with the U.S. Court o Appeals or the Ninth Circuit. This appeal is pending.


Financial PrivacyCalifornia Law

Caliornias Financial Inormation Privacy Act places restrictions on the sharingo consumers nonpublic personal inormation by nancial institutions

Nonpublic personal inormation does not include publicly available

inormation; it is dened as personally identiable nancial inormation that is:

1 Provided by a consumer to a nancial institution;

2 The result o a transaction with a consumer or a service perormed

or a consumer; or

3 Otherwise obtained by a nancial institution

[Caliornia Financial Code Section 4052(a)]

A nancial institution must rst obtain a consumers consent beore it may

disclose or share the consumers nonpublic personal inormation with any

nonaliated third party (an opt in)13 [Caliornia Financial Code Section

4053(a)(1)] Beore disclosing nonpublic personal inormation to an aliate, a

nancial institution must give a consumer an opportunity to direct that his or

her inormation may not be disclosed (an opt out) [Caliornia Financial Code

Section 4053(b)(1)] The preemptive eect o the Fair Credit Reporting Act on

this restriction is a matter currently beore the courts14

Provided that the consumer has not opted out, a nancial institution may share

the consumers personal inormation with another nancial institution when

they enter into a joint marketing agreement to oer a nancial product or

service that meets specied requirements [Caliornia Financial Code Section

4053(b)(2)] The unrestricted sharing o nonpublic personal inormation


58/161

between a nancial institution and its wholly owned nancial-institution

subsidiaries in the same line o business also is permitted, irrespective o any

consumer choice, provided that specied requirements are met [Caliornia

Financial Code Section 4053(c)]

Caliornia law contains a statutory orm that a nancial institution may use

to oer consumers an opportunity to communicate their privacy choices A

nancial institution that uses the statutory orm is deemed to have complied

with the notice requirements; a nancial institution also may use an alternate

orm subject to specied limitations [Caliornia Financial Code Section

4053(d)]

Federal LawFederal law prohibits a nancial institution, under the GrammLeachBliley Act

(GLB) o 1999 (Pub L 106-102, 113 Stat 1338), rom disclosing a consumers

nonpublic personal inormation to a nonaliated third party unless the

nancial institution (1) provides the consumer with a clear and conspicuous

disclosure o the nancial institutions specied privacy policies and practices,

(2) gives the consumer the opportunity to stop the disclosure beore the

inormation is initially disclosed (an opt out), and (3) provides the consumer

with an explanation o how to exercise his or her right to opt out [15 USC

6802(b)(1)] The act contains specied exceptions [15 USC 6802(e)]

Under GLB, nancial institutions are permitted to disclose personal inormation

to a third partyeven i a consumer has opted outi the disclosure is to

enable the third party to perorm services or or unctions on behal o the

nancial institution, including the marketing o the institutions own products or

services, or products or services oered jointly between two or more nancial

institutions that comply with GLBs provisions (oten reerred to as a joint

marketing agreement) In this case, the nancial institution must enter into

a contractual agreement with the third party that requires the third party to

maintain the condentiality o the inormation [15 USC 6802(b)(2)]



59/161

GLB also specically invites states to enact greater privacy protections than

those contained in the ederal act [15 USC 6807]

In 2006 Congress passed the Financial Services Regulatory Relie Act o 2006

(Pub L 109-351, 120 Stat 1966), which amended GLB to require ederal

agencies to jointly develop a model privacy orm or nancial institutions to

use or GLB-required disclosures to consumers The act requires the agencies

to develop a orm that is succinct and comprehensible and allows consumers

to easily identiy and compare the sharing and privacy practices o nancial

institutions Under the act, a nancial institution that uses the model orm is

deemed to have satised the notice requirements o GLB (a sae harbor)

In March 2007, pursuant to the act, eight ederal regulators issued a notice o

proposed rulemaking regarding a model privacy orm15 Public comments weredue by May 29, 2007 A nal rule has not yet been issued

Insurance Inormation andPrivacy Protection ActCalifornia Law

State law governs the collection, use, and disclosure o inormation gathered in

connection with insurance transactions The act generally limits disclosure o

personal inormation by insurers and agents without the written consent o the

individual [Caliornia Insurance Code Section 791 et seq]


15 Interagency Proposal or Model Privacy Form Under the GrammLeachBliley Act, 72 Fed. Reg. 14940 (2007) (to

be codied at 12 C.F.R. Part 40, 12 C.F.R. Part 573, 12 C.F.R. Part 216, 12 C.F.R. Part 332, 12 C.F.R. Part 716, 16

C.F.R. Part 313, 17 C.F.R. Part 160, and 17 C.F.R. Part 248) (proposed March 29, 2007).


60/161

6

Insurers: Genetic TestingCalifornia Law

State law prohibits insurers rom requiring a genetic test or the purpose o

determining insurability, except or policies contingent on review or testing

or other diseases or medical conditions I an insurer requires a genetic test

to determine insurability, the insurer must comply with inormed consent

and privacy protection rules, as specied [Caliornia Insurance Code Section

10148]

Civil penalties may be assessed or the willul or negligent disclosure o genetic

test results i those results are disclosed in a manner that identies or provides

identiying characteristics about the subject o the test Any person who

negligently or willully discloses the results is also liable or actual damages,

including damages or resulting economic, bodily, or emotional harm

[Caliornia Insurance Code Section 101491]



61/161

Identity Theft


62/161


63/161

9

Overview

n For the seventh year in a row, identity thet topped the Federal

Trade Commissions list o top 10 consumer complaints in 200616 O

the 674,354 complaints led with the commission during that year,246,035or 36 percentrelated to identity thet17 The most common

orm o reported identity thet was credit card raud (25 percent o

complaints), ollowed by phone or utilities raud (16 percent), bank

raud (16 percent), and employment raud (14 percent)18

Among the 50 states, Caliornia ranked third in identity thet victims

per capita, ater Arizona and Nevada19 Five o the top 10 major

metropolitan areas with the highest per capita rates o reported

identity thet were in Caliornia: Napa, Madera, Yuba City,HanordCorcoran, VallejoFaireld20

n Many Americans are concerned about the threat o identity thet

In a poll by Zogby International conducted on March 2326, 2007,

91 percent o nationwide respondents said they are concerned their

identity could be stolen and used to make unauthorized purchases

One in three surveyed said they are not condent that retailers, banks,

and credit card companies are taking sucient steps to saeguard

their personal inormation21

nOver the years, both Caliornia and Congress have enacted various

statutes relating to identity thet State and ederal law, or example,

both impose criminal penalties or the crime o identity thet

Caliornia law also allows an identity thet victim to petition a court or

a nding o innocence when an identity thie has committed crimes in

the victims name And Caliornia recently enacted a statute requiring

county welare departments to obtain a credit report on behal o

oster-care children to determine whether they have been a victim oidentity thet

16 Federal Trade Commission, FTC Issues Annual List o Top Consumer Complaints, February 7, 2007,

http://www.tc.gov/opa/2007/02/topcomplaints.shtm.17 Federal Trade Commission, Consumer Sentinel and Identity Thet Data Clearinghouse, Consumer Fraud and

Identity Thet Complaint Data, JanuaryDecember 2006, February 2007, p. 5, http://www.consumer.gov/

sentinel/pubs/Top10Fraud2006.pd.18 Id., p. 13.19 Id., p. 18.20 Id., p. 17.21 Zogby International, Zogby Poll: Most Americans Worry About Identity Thet, April 3, 2007.

Identity Thet


64/161

60

Crime o Identity ThetCalifornia Law

Under state law, it is unlawul to willully use someone elses personalidentiying inormation or an unlawul purpose, including to obtain or attempt

to obtain credit, goods, services, or medical inormation in the name o the

other person without that persons consent [Caliornia Penal Code Section

5305(a)]

State law also prohibits acquiring or retaining possession o personal

identiying inormation with the intent to deraud [Caliornia Penal Code

Section 5305(c)] Additional penalties are imposed i the violator haspreviously been convicted o identity thet or possesses the personal

inormation o 10 or more people [Caliornia Penal Code Sections 5305(c)(2)

and (c)(3)] Also prohibited is the sale, transer, or conveyance o personal

identiying inormation with actual knowledge that it will be used to commit

identity thet [Caliornia Penal Code Section 5305(d)(2)]

Personal identiying inormation includes, among other things, name,

address, telephone numbers, social security number, drivers license number,

mothers maiden name, checking or savings account numbers, unique

biometric data (such as a ngerprint), or credit card numbers [Caliornia

Penal Code Section 53055]

Federal Law

Federal law makes it a crime to knowingly transer, possess, or use another

persons means o identication with the intent to commit, aid, or abet an

unlawul activity that violates ederal law or constitutes a elony under state

law [18 USC 1028(a)(7)] Federal