Home
home
 
 
CBA Publications
Latest Banking News
California Banker
Federal PAC Fundraising Guide
Community Banker
Compensation Survey
Corp Governance Bulletins
Grassroots Update
Legislative Summary
Monday Courier
Regulatory Compliance Bulletins
BOLI Resources
   
 

CBA Publications >> CBA Regulatory Compliance Bulletin >> Vol 2001 No. 15 November 7, 2001

Vol 2001 No. 15 November 7, 2001

California Passes ID Theft Bill

Curbing identity theft has been a high priority for state legislators during the past two years, and SB 168 is a product of that effort. This bill was first introduced last year in a form that would have created significant problems for banks. For example, it would have prohibited the use of social security numbers as a means of identifying a customer, such as inputting an SSN to gain access to a web site. It also would have cast doubt on banks' ability to use SSNs internally for control purposes. From the inception of the bill last year, CBA worked cooperatively with the bill's author, and the bill that passed this year addresses most of the concerns raised by CBA.

Overview. The new law contains two parts. The first establishes procedures for consumers (i) to alert credit reporting agencies of potentially fraudulent activities involving the consumer's credit information, and (ii) to block access to a consumer's credit report. This part primarily affects credit reporting agencies. The second part of SB 168, affecting banks more directly, places restrictions on the use and disclosure of social security numbers. Nevertheless, the impact of the SSN restrictions on banks should not be significant in light of the privacy and security standards already effective under Gramm-Leach-Bliley ("GLB").

SSNs. SB 168 prohibits any person or entity (except state and local agencies) from publicly posting or displaying an individual's social security number, which means to "intentionally communicate or otherwise make [an SSN] available to the general public." While general public is not defined, it is likely that an act much short of publicly posting SSNs will run afoul of this prohibition, such as releasing an SSN to an unrelated third party where no exception applies. Under GLB, personal information, including SSNs, may be shared with third parties, subject to a right of opt out. Although SB 168 has no provision for opting out, its restriction is narrower--SSNs may not be posted or displayed publicly. Presumably, a nonaffiliated third party with whom a bank properly shares SSNs under GLB (i.e., pursuant to an agreement and subject to an opt out right) is not a member of the general public.

SB 168 also creates other specific prohibitions. An SSN may not be printed on a card used as a means to obtain access to a product or service. In practice, this limits the ability to use a customer's SSN as an account number. The use of the word "print" should leave unaffected the ability to include an SSN as part of the information that is encoded on a magnetic strip or a chip in the card.

The new bill would allow a bank or other entity to require a person to transmit an SSN over the internet as long as the connection is "secure" or the SSN is encrypted. The bill does not attempt to define either the term "secure" or the level of encryption technology that is required. If an SSN is required as a means of gaining access to an internet web site, then the user must also be required to enter a password, a unique personal identification number, or other authentication device to gain access. The bill is silent on the transmission of SSNs over other media, such as a telephone key pad.

The provision that may raise some concerns is a prohibition against printing a person's SSN on any materials that are mailed to the person unless doing so is required by law. CBA was able to secure an additional exception for the mailing of "applications and forms" (not defined) sent by mail. Thus, if a consumer makes an application by telephone, a bank may deliver a completed application, that includes the applicant's SSN printed on it, by mail for the applicant's signature. Again, the law is silent on the delivery of materials, including of applications and forms, by means other than the mail. Thus, delivering a document that contains an SSN by means of email or fax is not explicitly prohibited or exempted. The bill author's office has confirmed unofficially that the bill covers only materials delivered through the traditional mail service.

This restriction on mailings makes it prudent for banks to review their practices and procedures to ensure that any mailings that include SSNs are either required by law or come within the "applications and forms" exception. This restriction is, in this respect, more stringent than the GLB privacy standards, which do not limit what can be communicated directly to the consumer. The purpose of this restriction is to reduce the risks associated with mail theft. Note that the bill does not explicitly restrict the use of a truncated SSN.

Another provision that CBA was able to include in the bill is an allowance for using SSNs for "internal verification or administrative purposes." Banks commonly use SSNs as a control number because an SSN must be obtained from every customer for tax purposes and is perhaps the only unique customer identifier. This provision is not technically an exception to the bill because none of the listed prohibitions prevents a bank from using SSNs for control purposes. Thus, use of the term "internal" should not affect a bank's ability to rely on outside service providers for such tasks as data processing. This provision is, rather, an affirmation that the new law does not restrict this practice.


Return to top

The bill contains a grandfather clause. If a person (other than a public entity) has used an SSN in a manner that is prohibited by SB 168 prior to its effective date, July 1, 2002, and the practice is continuous, the person may continue the practice under specific conditions. The user of the SSN must provide an annual notice beginning in the year 2002 informing the individual of the right to stop the practice. If the individual requests in writing that the practice is stopped, the request must be implemented within 30 days after receipt, and no fee may be imposed. Service to the requesting consumer may not be denied because of such a request.

Credit Reporting Agencies. The other major part of SB 168 introduces new duties on credit reporting agencies to respond to consumer security alerts and to freeze information contained in a consumer report. Upon request by a consumer, a credit reporting agency (hereafter, "agency") is required to place a notice in a consumer's credit report that notifies a recipient of the credit report, credit score, or summary report that the consumer's identity may have been used fraudulently. The agency has five business days to place a security alert after receipt of the request, and must maintain it for at least 90 days. Agencies are also required to maintain a toll-free telephone number to accept security alerts 24 hours a day, seven days a week, and this number must be included in written disclosures and printed in a clear and conspicuous manner.

A consumer may also place a "security freeze" on his or her credit report. A security freeze is a notice placed in the report indicating two things: the agency is prohibited from releasing a credit report or any information from it without the express authorization of the consumer; and any other person is prohibited from releasing information from the report to "a third party" without prior express authorization from the consumer. Certain exemptions from a security freeze are available. Also, procedures are established to permit a consumer to authorize an agency to provide limited access to a frozen report by a specific party or for a period of time.

Note that an agency is permitted, but is not required, to advise a third party that a security freeze is in effect. Thus, a bank could be unwittingly in possession of a credit report that is made frozen after it was received from an agency. However, since the prohibition is against releasing information in a report to a "third party," then significant violations could be avoided through appropriate handling of the report pursuant to the Fair Credit Reporting Act.

SB 168 places no restrictions on a user of a credit report that subject to an alert or a freeze. Indeed, it provides that if a third party requests a credit report that is frozen in connection with an "application for credit or any other use," the third party may treat the application as incomplete. Thus, the burden is on the consumer to notify an agency that a third party is authorized to obtain a credit report.

The provision on security alerts is effective on July 1, 2002, and the provision on security freezes is effective on January 1, 2003. The SSN provisions are effective on July 1, 2002. The CBA lobbyists on SB 168 are James Clark and Greg Wilhelm, who can be reached at 916-441-7377, extensions 209 and 208, respectively.

The information contained in this CBA Regulatory Compliance Bulletin is not intended to constitute, and should not be received as, legal advice.  Please consult with your counsel for more detailed information applicable to your institution.
   

CBA Regulatory Compliance Committee

Patricia A. Cantu (Chair), Mary Lou Bonkofsky, Janet Bonnefin, Lyndon Christensen, James Curtis, Vira Jo Denny, Michael Hood, Jeri Killian, Lynn Lawrence, Stuart J. Lehr, Garry Prosperi, Thomas E. McCullough, James Rockenbach, Christine Scott, Deborah Thoren-Peden, James Thvedt and Meg Troughton

Leland Chan, General Counsel
California Bankers Association 201 Mission Street Suite 2400 San Francisco California 94105-1839 
Tel (415) 284-6999ext. 214, Fax (415) 284-1521 
E-mail: lchan@calbankers.com
Return to top