BILL ANALYSIS �
SB 168
Page 1
Date of Hearing: July 10, 2001
ASSEMBLY COMMITTEE ON JUDICIARY
Darrell Steinberg, Chair
SB 168 (Bowen) - As Amended: July 5, 2001
SENATE VOTE : 24-13
SUBJECT : PERSONAL INFORMATION: CONFIDENTIALITY: IDENTITY
THEFT
KEY ISSUES :
1)SHOULD CONSUMERS BE PERMITTED TO ASSERT SOME CONTROL OVER THE
USE OF THEIR PERSONAL AND FINANCIAL INFORMATION RELEASED FROM
THEIR CREDIT REPORTS IN AN EFFORT TO PROTECT CONSUMERS AGAINST
IDENTIFY THEFT?
2)SHOULD THE USE OF SOCIAL SECURITY NUMBERS AS IDENTIFIERS BE
PHASED OUT, WITH LIMITED EXCEPTIONS, IN ORDER TO BETTER HELP
PREVENT AGAINST IDENTITY THEFT BY PROTECTING A NUMBER THAT HAS
BECOME AN IMPORTANT KEY TO A PERSON'S IDENTITY?
SYNOPSIS
This measure seeks to prevent identity theft by permitting
consumers to place security alerts and security freezes on their
credit reports and restricting the use of Social Security
numbers as identifiers. Under the bill, a consumer would be
able to place an alert in his or her credit report, noting that
the consumer's identity may have been used without the
consumer's consent. The bill also permits a consumer to place a
security freeze on his or her credit report which would prohibit
the credit reporting agency from releasing the consumer's credit
report or any information from it without the express
authorization of the consumer. A consumer, using a personal
identification number assigned to him or her by the credit
reporting agency, would be able to lift the freeze and allow his
or her credit report to be accessed for a specific purpose,
party or period of time, provided that specified information is
presented to the credit bureau. The bill also restricts the use
of Social Security numbers as personal identifiers, except in
specified cases. These restrictions become effective on July 1,
2002, except that the bill's requirements regarding the use of
Social Security numbers do not apply to health plans, health
�
SB 168
Page 2
care providers, licensed health care professionals, or
contractors until on or after January 1, 2003.
Supporters of the bill argue that prevention is the most
effective way to combat identity theft, and the bill's security
alert and security freeze provisions are necessary to give the
consumer, rather than the credit grantor or credit bureau,
control over the use of his or her credit history. Supporters
also note that the bill's restrictions on the use of Social
Security numbers as identifiers are needed because Social
Security numbers have become the key to a person's identity.
They argue that, because the number has become one of the most
easily obtained and widely used tools for identity theft,
limiting its present widespread use as a personal identifier
will make identity theft significantly harder to commit.
Opponents of the measure argue that the bill's provisions
concerning security alerts and security freezes will add
significant new costs to the credit economy, harm consumers by
delaying, or preventing altogether, necessary credit
transactions for consumers who have frozen their credit reports
and may promote identify fraud rather than alleviate it. Other
opponents raise issue with the bill's restrictions on the use of
Social Security numbers as personal identifiers. As explained
in the analysis, several health plans and insurers have argued
they are currently retooling their systems and procedures to
comply with other requirements under the federal Health
Insurance Portability and Accountability Act (HIPAA) of 1996 and
note that HIPAA required the development of a personal health
care identifier.
SUMMARY : Requires credit reporting agencies to accept consumer
"security alerts" and "security freezes" and regulates usage of
Social Security numbers. Specifically, this bill :
1)Permits a consumer to request, by phone or mail, that a credit
reporting agency place a "security alert" in his or her credit
report and defines a security alert as a notice that informs
recipients of a credit report that the consumer's identity may
have been used without the consumer's consent.
2)Requires the credit reporting agency to place a security alert
on a consumer's credit report no later than 5 business days
after receiving a request from the consumer and provides that
the security alert shall remain in place for at least 90 days
�
SB 168
Page 3
and may be renewed by the consumer.
3)Permits a consumer to request, in writing by certified mail,
that a credit reporting agency place a "security freeze" in
his or her credit report and defines a security freeze as a
notice that prohibits the credit reporting agency from
releasing the consumer's credit report or any information from
it without the express authorization of the consumer.
4)Requires the credit reporting agency to place a security
freeze on a consumer's credit report no later than 5 business
days after receiving a request from the consumer and provides
that the security freeze shall remain in place until the
consumer requests in writing by certified mail that the
security freeze be removed. The security freeze must then be
lifted within 5 business days of receipt of a request.
5)Requires the credit reporting agency to provide the consumer
with a unique personal identification number (PIN) to be used
by the consumer should he or she authorize the release of
information from his or her credit report.
6)Provides that a consumer may allow his or her credit report to
be accessed for a specific purpose, party or period of time,
provided that specified information is presented to the credit
bureau.
7)Requires that consumers who decide to use the security alert
or security freeze be advised that taking such an action may
result in the delay of timely approval of subsequent requests
for financial products or services.
8)Provides that the bill's requirements do not apply to, among
other things, creditors of the consumer, state or local
agencies acting pursuant to a court order, warrant or
subpoena, child support agencies, and the Franchise Tax Board.
9)Provides that a credit reporting agency shall not change
specified information in a consumer credit report, including
name, date of birth, Social Security number, without sending a
written confirmation of the change to the consumer within 30
days of the change being posted to the consumer's file if a
security alert or security freeze is in place.
10)Provides that a person or entity or state or local agency may
�
SB 168
Page 4
not do any of the following after July 1, 2002, except as
noted in 11), below: a) Print an individual's Social Security
number on any card required for the individual to access
products or services; b) Publicly post an individual's Social
Security number; c) Require an individual to transmit his or
her Social Security number over the Internet unless the
connection is secure or the Social Security number is
encrypted; d) Require an individual to use his or her Social
Security number to access an Internet Web site, unless a
password is also required to access the Web site; or e) Print
an individual's Social Security number on any materials that
are mailed to the individual, unless required by state or
federal law.
11)Provides that a person or entity or state or local agency may
continue to use an individual's Social Security number in a
manner inconsistent with the bill's requirements with respect
to the use of Social Security numbers if specified conditions
are met and permits the use of Social Security numbers for
internal verification or administrative purposes.
12)Provides that the bill's requirements regarding the use of
Social Security numbers shall not apply to health plans,
health care providers, licensed health care professionals, or
contractors until on or after January 1, 2003 and provides
that if a federal law takes effect requiring the U.S.
Department of Health and Human Services (HHS) to establish a
national unique patient health identifier program, then
compliance with the federal law shall be deemed to be
compliance with the bill.
EXISTING LAW :
1)Regulates the activities of credit reporting agencies and the
users of credit reports and provides rights to consumers who
are affected by such reports under the federal Fair Credit
Reporting Act and the state Consumer Credit Reporting Agencies
Act. (15 U.S.C. Section 1681 et seq. ; Civil Code section
1785.1 et seq. , respectively. All further statutory
references are to the Civil Code.)
2)Requires credit reporting agencies to permit consumers, upon
request and proper identification, to visually inspect all
files maintained regarding that consumer. (Section 1785.10.)
�
SB 168
Page 5
3)Requires credit reporting agencies to provide consumers with
specified information, including any credit score used, if the
consumer requests a copy and requires that the consumer be
provided with the names of the recipients of any credit report
on the consumer which the agency has furnished. ( Id. )
4)Provides that a credit reporting agency may release a consumer
credit report for specified purposes, including, among other
things, in accordance with the written instructions of the
consumer to whom the information relates and to a person whom
the credit reporting agency has reason to believe intends to
use the information in connection with a credit transaction or
otherwise has a legitimate business need for the information
in connection with a business transaction involving the
consumer. (Section 1785.11.)
5)Provides that a consumer may request that a credit reporting
agency not include his or her name in lists of prequalifying
reports and not provide information from the consumer's file
to third parties for marketing purposes. (Sections 1785.11
and 1785.19.5.)
6)Permits the use of Social Security numbers as individual
identifiers.
FISCAL EFFECT : The bill as currently in print is not keyed
fiscal.
COMMENTS : This bill seeks to prevent identity theft by
restricting the use of Social Security numbers as identifiers
and permitting consumers to place security alerts and security
freezes on their credit reports. In support of the measure, the
author stated:
Criminals use Social Security numbers and other personal
information to open credit card accounts, write bad
checks, buy cars and commit other financial crimes with
people's identities. It can take identity theft victims
several years to clear their credit records, during which
time many victims have trouble establishing new credit,
renting apartments and getting jobs because many
applications require a credit check as part of the
approval process.
Background. According to consumer advocates, criminals assume
�
SB 168
Page 6
the identity of about 350,000 people a year. The term "identity
theft" refers to the practice of scam artists who fraudulently
obtain credit, loans, long distance phone service, etc. in
another person's name. This is accomplished through a variety
of means including, assumption of identification, theft of
identifying information such as Social Security numbers, PIN
codes, and through fraudulent changes of address. Often the
innocent party does not know that he or she has been the victim
of fraud, until he or she applies for, and is denied, credit.
Application fraud, as it is known to the credit and banking
industry, is a growing problem for businesses as well. The
American Bankers Association reports that in 1995, application
fraud accounted for 13 percent of all fraud. MasterCard reports
that in 1995, it lost $28.3 million to application fraud. This
is up almost 10 percent from just the year before, and the trend
is growing. According to the US General Accounting Office,
credit card application fraud losses totaled $745 million in
1997.
In California, law enforcement agencies report this crime is
exacting an increasing toll on police resources. According to
the author's office, the LAPD receives between 150 and 200 ID
theft cases per month, and the LAPD's identity theft caseload
has doubled from 1,600 in 1998 to more than 3,000 in 1999. And,
in 1999, the telephone hotline at the Social Security
Administration received reports of almost 39,000 incidents of
misuse of Social Security numbers. The author's office also
notes that the Social Security Administration conducted 1,153
Social Security number misuse investigations in 1997 compared to
only 305 in 1996.
The Health Insurance Portability and Accountability Act (HIPAA)
of 1996: Development of a personal health care identifier.
Several health plans and insurers have written in to express
their opposition to the bill and some have suggested that they
be allowed until January 1, 2005, rather than January 1, 2003,
to implement the bill's requirements. These opponents argue
that they are currently retooling their systems and procedures
to comply with other federal requirements under HIPAA which
included a series of "administrative simplification" provisions
that required HHS to adopt national standards for electronic
health care transactions. The law also required security and
privacy standards in order to protect personal health
information. As a result, HHS has issued either final or
�
SB 168
Page 7
proposed rules on, among other things, medical privacy,
electronic health care transactions, and security requirements.
HIPAA also called for the development of a unique health
identifier for individuals. However, HHS and Congress have
indefinitely postponed any effort to develop such a standard.
In fact, an HHS fact sheet on HIPAA requirements states the
following with respect to the personal health care identifier:
Although HIPAA included a requirement for a unique
personal health care identifier, HHS and Congress have
put the development of such a standard on hold
indefinitely. In 1998, HHS delayed any work on this
standard until after comprehensive privacy protections
were in place. Since then, Congress has adopted budget
language to ensure no such standard is adopted without
Congress' approval. HHS has no plans to develop such an
identifier.
( http://www.hhs.gov/news/press/2001pres/01fshipaa.html ,
visited July 7, 2001.)
In addition, the author has taken the possible development of a
unique personal health care identifier into account in her bill
by including language which provides that if a federal law takes
effect requiring HHS to establish a national unique patient
health identifier program, then compliance with the federal law
shall be deemed to be compliance with the bill.
ARGUMENTS IN SUPPORT : Consumers Union supports the bill,
stating that the bill "would strengthen consumer protections for
dealing with the growing problem of identity theft." The
consumer organization states further:
While California has taken important steps over the past
several years to aid victims of identity theft,
prevention is the most effective way to stop this
problem. SB 168 does this by helping to ensure that
people obtaining credit are who they say they are. ?
This bill would allow a consumer to put a freeze on any
release of a credit information unless the consumer
affirmatively allows its release. ? When issuing new
credit, a credit grantor checks the credit history of the
consumer. If a consumer believes that he or she is the
�
SB 168
Page 8
victim of identity theft, the consumer can prevent the
release of the credit information. If the information is
not released, the identity thief will not be able to
establish credit in the consumer's name. ? SB 168 gives
the consumer, rather than the credit grantor or credit
bureau, control over the use of his or her credit
history. Because information in credit reports is about
a consumer, the consumer's right to control distribution
of that report should be a fundamental one.
The Office of the Attorney General supports the measure, noting
that the bill's provisions concerning security alerts and
security freeze strike a comprehensive approach. On this point,
the office states:
Although consumer reporting agencies generally permit the
placing of security alerts already, they are not required
to do so. In addition, the practices may vary from one
credit reporting agency to another, and there is no
mandate for advising consumers of the option of placing a
security alert on their credit report. The bill corrects
these deficiencies to ensure that consumers are entitled
to this protection.
With respect to the bill's provisions concerning the use of the
Social Security number, the Los Angeles County District
Attorney's Office notes that "Social Security numbers are among
the most easily obtained and widely used tools for identity
theft. Limiting the present widespread use of Social Security
numbers as personal identifiers will make identity theft
significantly harder to commit."
The California Public Interest Research Group (CALPIRG) supports
the measure, explaining:
While it was originally intended to be used solely for
the purpose of receiving Social Security benefits, the
Social Security number has become the key to a person's
identity. With this number and an address, a thief can
obtain credit in a victim's name. Currently, a thief can
find this number in many ways, including on an
identification card from a health insurance company or
university in a consumer's wallet or even over the
internet. Many businesses currently require a customer
to provide his Social Security number in exchange for
�
SB 168
Page 9
products or services. The more widespread this number
is, the more accessible it is to identity thieves. SB
168 would help prevent Social Security number from
falling into the wrong hands ?.
Right now the burden is completely on consumers to both
protect their personal information and clean up their
damaged credit reports once they have become victims of
identity theft. Unfortunately, a consumer has little
control over who has access to his Social Security number
and credit report, so his actions will not necessarily
prevent identity theft from occurring. It is the
responsibility of the business or other entity who
profits from the distribution of a consumer's personal
information to keep that information from falling into
the wrong hands. SB 168 will help place the
responsibility where it belongs.
ARGUMENTS IN OPPOSITION : The three national credit reporting
agencies, Equifax, Experian and TransUnion oppose the security
alert and security freeze provisions in the bill. On this
point, Equifax states that the bill would:
? Add significant new costs to the credit economy by
forcing credit reporting agencies to develop new computer
architecture to issue consumers PIN numbers to turn off
and on their files as they like;
Confuse consumers and add costs by requiring consumer
credit reporting agencies to verify addresses by sending
confirmation letters to the old and new address. There
are 42 million address changes annually. A confirmation
letter would also be triggered by changes to age, which
presumably would trigger a letter from credit reporting
agencies to each Californian annually, name, and
telephone number. There are nationally three million
marriages and divorces annually and a similar number of
name changes;
Harm consumers by delaying or preventing altogether
necessary credit transactions for consumers who had
blocked their files. In mortgage reporting instances,
for example, consumers would have to remember three PIN
codes for each of the national credit reporting agencies.
Automobile dealers and auto finance companies, cellular
�
SB 168
Page 10
phone providers, financial institutions, retailers,
insurers, and those in the mortgage lending and real
estate business would suffer as the process from freeze
to unfreeze could take up to 14 days. Instant, online
transactions would not be possible for consumers with a
"frozen" file. ?
TransUnion opposes the bill, arguing that it may promote
identify fraud rather than alleviate it. On this point, the
company states:
The posting of security alerts to credit reports is a
10-year old practice, pioneered by TransUnion. Security
alerts are posted to consumer file when some
precipitating event, such as the theft of personal
information or a potential identity fraud, occurs. By
mandating that a security alert be posted upon request of
the consumer, and by mandating that notice of the
availability of security alerts be given, SB168 invites
the dilution of the effectiveness of these alerts. If
the alerts become commonplace, they lose their value,
thus promoting, and not avoiding, identity fraud.
(Emphasis in original.)
With respect to the bill's provisions restricting the use of
Social Security numbers, Blue Cross of California argues that
the prohibitions are "costly and burdensome," stating:
Currently, Blue Shield members show a member card that
carries their ID number. This number is used by
hospitals and physicians to provide information back to
Blue Shield and to submit claims. ? individuals and many
small groups move between health plans, sometimes on a
yearly basis. Many large employers, including PERS,
provide an annual open enrollment where their members can
change health plans without penalty. While the member
may change plans, many times they need not change
physicians. A different number generated each year by
each new plan will only result in confusions and delay.
The Social Security number ensures continuity of coverage
and claims payment. The number is also used to verify
eligibility for state and federally funded programs,
which is tied to financial eligibility.
? complicating matters further is a federal law borne out
�
SB 168
Page 11
of the Health Insurance Portability and Accountability
Act (HIPAA) that requires the federal government to come
up with a unique health care identifier for each
individual. Although these regulations have not been
adopted, health plans would be required to switch over to
the new federal identifier once it becomes established.
While recent amendments take the HIPAA requirements into
consideration by deeming that plans would be in
compliance with the bill should the federal government
adopt implementing regulations, it would not necessarily
prevent plans from having to change a member's unique
identifier twice -- once before January 1, 2003 and again
after the federal government rules kick in.
The Health Insurance Association of America opposes the bill,
noting that "within the healthcare industry, Social Security
numbers are used as a personal identifier and link an individual
with other entities such as health plans, hospitals,
pharmacists, and providers. In addition, Social Security
numbers are used by providers in tracking and processing claims,
accommodating state and federal entities such as Federal
Medicare and State Medi-cal systems, and in audits. Disallowing
the use of Social Security numbers as provided in SB 168 would
severely disrupt the processes of these entities by forcing them
to retool their databases at a substantial cost. Moreover,
patient services are likely to be disrupted and payment of
provider claims could be impacted."
The California Association of Health Plans also opposes the
measure, stating, with respect to the HIPAA regulations:
Although the HIPAA regulations will also require the
health care industry to use a new numbering system as
described above, the difference is that promulgation of
regulations under HIPAA has included comprehensive
research, coordination and compromise to develop a
numbering strategy that will work within the health care
system in its entirety -- on a National basis -- rather
than requiring plans and providers to develop their own
numbering system based upon their own methodology
resulting in a number of systems that are unable to
communicate with one another.
Prior Related Legislation. SB 1767 (Bowen) of 2000, which was
substantially similar to this bill, failed passage in the
�
SB 168
Page 12
Assembly Banking and Finance Committee.
REGISTERED SUPPORT / OPPOSITION :
Support
AARP
American Federation of State, County and Municipal Employees
(AFSCME)
Attorney General Bill Lockyer
California District Attorneys Association
California Union of Safety Employees (CAUSE)
California Public Interest Research Group (CALPIRG)
Congress of California Seniors
Consumers Union
Los Angeles County Professional Peace Officers Association
Los Angeles County District Attorney's Office
Older Women's League
Privacy Rights Clearinghouse
Public Counsel Law Center
Opposition
AdvancePCS
Aetna U. S. Healthcare
Alliance of American Insurers
Application Exchange
Associated Credit Bureaus, Inc.
Association of California Life and Health Insurance Companies
Blue Cross of California
Blue Shield of California
California Association of Health Plans
California Association of Mortgage Brokers
California Chamber of Commerce
California Healthcare Association
California Motor Car Dealers Association
California Retailers Association
Direct Marketing Association
Employers Health Care Coalition of Los Angeles
Equifax, Inc.
Experian
Express Scripts Incorporated
First American Financial Corporation
Health Insurance Association of America
Health Net
�
SB 168
Page 13
Keane Tracers Service Corporation
LEXIS-NEXIS
Reed Elsevier, Inc.
San Bernardino County Sheriff's Department
TransUnion
Analysis Prepared by : Saskia Kim / JUD. / (916) 319-2334