127th General Assembly
(As Reported by S. Judiciary - Civil Justice)
Reps. J. Stewart and DeGeeter, Budish, Daniels, Gibbs, Hite, Koziura, Patton, Sayre, D. Stewart, S. Williams, Koziura, Sayre, Hite, Gibbs, Aslanides, Batchelder, Bolon, Book, Boyd, Brown, Bubp, Celeste, Chandler, Combs, DeBose, Distel, Domenick, Dyer, Evans, Flowers, Foley, Garrison, Goyal, R. Hagan, Harwood, Healy, Heard, Hughes, Latta, Letson, Luckie, Mallory, Miller, Oelslager, Okey, Otterman, Peterson, Strahorn, Sykes, Szollosi, Uecker, White, B. Williams, Yates
BILL SUMMARY
· Permits a consumer to request a consumer credit reporting agency to place a security freeze on the consumer's credit report.
· Creates procedures for requesting a security freeze to a consumer credit reporting agency and for the actions of the consumer credit reporting agency in response to that request.
· Provides a procedure for a consumer to release the consumer's credit report subject to a security freeze to a specific person or to lift the security freeze for a limited period of time.
· Establishes a list of entities to whom a consumer credit reporting agency may release a consumer credit report on which a security freeze has been placed.
· Specifies the entities that are not required to place a security freeze on a consumer's credit report.
· Permits the Attorney General to conduct an investigation of a consumer credit reporting agency if the Attorney General has reason to believe that the consumer credit reporting agency has failed or is failing to comply with the security freeze provisions of the bill.
· Specifies the requirements regarding persons who are subpoenaed to produce relevant matter in the course of the Attorney General's investigation of a consumer credit reporting agency.
· Allows the Attorney General to bring a civil action if it appears that a consumer credit reporting agency has failed or is failing to comply with the security freeze provisions of the bill and, if there is a finding that the consumer credit reporting agency intentionally or recklessly failed to comply, requires the court to impose a civil penalty of up to $2,500 for each instance that the consumer credit reporting agency fails to comply.
· Allows a consumer to file a civil action against a consumer credit reporting agency that willfully or negligently fails to comply with the requirements for placing and temporarily lifting a security freeze on a consumer's credit report.
· Provides that the statute of limitations for the consumer's civil action is not later than the earlier of two years after the date of discovery by the plaintiff of the consumer credit reporting agency's willful or negligent failure to comply or five years after the date of the consumer credit reporting agency's willful or negligent failure to comply.
· Provides, with certain specified exceptions, that a consumer credit reporting agency is not liable in damages in a civil action for any damages a consumer allegedly sustains as a result of the consumer credit reporting agency's placement of a security freeze on the consumer's credit report in violation of the requirement to place the security freeze within three business days, send confirmation within five business days, and provide a unique personal ID number or password if the consumer credit reporting agency establishes as an affirmative defense that it made a good faith effort to comply with the law and that it placed a security freeze on the consumer's credit report as a result of a misrepresentation of fact by another consumer.
· Requires each public office or person responsible for public records to maintain a database or list that includes the name and date of birth of all public officials and employees elected to or employed by that public office.
· Prohibits a public office or a person responsible for the public office's public records from making available to the general public on the internet any document that contains an individual's social security number.
· Provides a procedure for an individual to request that a public office or a person responsible for a public office's public records redact personal information of that individual from any record made available to the general public on the internet.
· Provides a procedure for a peace officer, parole officer, prosecuting attorney, assistant prosecuting attorney, correctional employee, youth services employee, firefighter, or EMT to request that a public office other than a county auditor or a person responsible for the public records of a public office other than a county auditor redact the address of that person from any record made available to the general public on the internet.
· Requires a public office or a person responsible for a public office's public records to redact, encrypt, or truncate from an electronic record of that public office that is made available to the general public on the internet an individual's social security number that was mistakenly not redacted, encrypted, or truncated from that electronic record and to do so within a reasonable period of time.
· Provides that a public office or a person responsible for a public office's public records is not liable in damages in a civil action for any harm an individual allegedly sustains as a result of the inclusion of that individual's personal information, or for any harm a peace officer, parole officer, prosecuting attorney, assistant prosecuting attorney, correctional employee, youth services employee, firefighter, or EMT sustains as a result of the inclusion of that person's address, on any record made available to the general public on the internet unless certain specified circumstances apply.
· Provides that the preparer of any document to be recorded with the county recorder's office may not include any individual's personal information in that document and that a county recorder may not accept a document for recording if it includes any individual's personal information.
· Provides a procedure to allow a peace officer, parole officer, prosecuting attorney, assistant prosecuting attorney, correctional employee, youth services employee, firefighter, or EMT to submit a written request to the county auditor requesting the county auditor to remove the name of the person from the general tax list of real and public utility property and the general duplicate of real and public utility property and insert the initials of that person on the general tax list of real and public utility property and the general duplicate of real and public utility property.
· Prohibits the county auditor from charging a fee when a current owner on the general tax list of real and public utility property and the general duplicate of real and public utility property is a peace officer, parole officer, prosecuting attorney, assistant prosecuting attorney, correctional employee, youth services employee, firefighter, or EMT and is changing the current owner name listed on the general tax list of real and public utility property and the general duplicate of real and public utility property to the current owner's initials.
· Provides that the statute of limitations for a cause of action on the grounds of identity fraud is five years.
· Provides that if the period of limitation for a felony, misdemeanor, or minor misdemeanor or for a prosecution of a certain specified offense has expired, prosecution for identity fraud must be commenced within five years after the discovery of the offense.
· Requires the Attorney General to cooperate with and provide technical assistance to any local law enforcement agency in the state, upon that agency's request, with respect to the enforcement of identity fraud crimes.
· Prohibits the Secretary of State from accepting a document for filing or recording if the document contains any individual's social security number or federal tax identification number unless certain specified circumstances apply.
· Requires the Director of the Office of Information Technology to employ a chief privacy officer who is responsible for advising the Office and state agencies when establishing policies and procedures for the security of personal information and developing education and training on the state's security procedures and a chief information security officer who is responsible for the implementation and coordination of policies and procedures for the security of personal information maintained and destroyed by state agencies.
· Specifies that the effective date of the bill is September 1, 2008.
TABLE OF CONTENTS
Consumer's
credit report security freeze
Temporary
removal of security freeze
Entities
to whom a credit report can be released
Changing
information in a consumer credit report
Exemption
for certain consumer reporting agencies
Investigation
by Attorney General
Database
or list of names and dates of birth
Redacting,
encrypting, or truncating an individual's social security number
Definition
of "personal information"
Requesting
the redaction of an individual's personal information
Personal
information not to be included in document filed for recording
Prohibition
against Secretary of State accepting documents if documents
contain certain information
Office
of Information Technology
Statute
of limitations for civil action of identity fraud
Limitation
on criminal prosecution of identity fraud
Enforcement
of identity fraud crimes
CONTENT AND OPERATION
The bill permits a consumer to place a "security freeze" (see "Definitions," below) on the consumer's credit report by making a request to a "consumer credit reporting agency" (see "Definitions," below) in writing by certified mail or other comparable service or by any secure electronic method authorized by the consumer credit reporting agency. Under the bill, a consumer credit reporting agency must place a security freeze on a credit report not later than three business days after receiving a request as described above. The consumer credit reporting agency must send a written confirmation of the security freeze to the consumer within five business days of placing the security freeze and, at the same time, must provide the consumer with a unique personal identification number or password, which cannot be the consumer's social security number. (R.C. 1349.52(B) and (C).)
A consumer may allow the consumer's credit report to be accessed for a specific party or period of time while a security freeze is in place by contacting the consumer credit reporting agency by certified mail or other comparable service, secure electronic method selected by the consumer credit reporting agency, or telephone and requesting that the security freeze be temporarily lifted and providing all of the following (R.C. 1349.52(D)):
(1) Information generally considered sufficient to identify the consumer;
(2) The unique personal identification number or password provided by the consumer credit reporting agency;
(3) The proper information regarding the third party who is to receive the consumer credit report or the time period for which the consumer credit report must be available to users of the credit report.
A consumer credit reporting agency that receives a request in writing by certified mail or other comparable service from a consumer to temporarily lift a security freeze on a consumer credit report must comply with the request not later than three business days after receiving the request. Except as otherwise provided in the bill, a consumer credit reporting agency that receives a request by secure electronic method selected by the consumer credit reporting agency, telephone, or another means authorized by the consumer credit reporting agency from a consumer to temporarily lift a security freeze on a credit report must comply with the request not later than 15 minutes after receiving the request unless any of the following applies:
(1) The consumer fails to meet the requirements described in (1) through (3) above;
(2) The consumer credit reporting agency's ability to temporarily lift the security freeze within 15 minutes is prevented by an act of God, including fire, earthquakes, hurricanes, storms, or similar natural disaster or phenomena; unauthorized or illegal acts by a third party, including terrorism, sabotage, riot, vandalism, labor strikes or disputes disrupting operations, or similar occurrence; operational interruption, including electrical failure, unanticipated delay in equipment or replacement part delivery, computer hardware or software failures inhibiting response time, or similar disruption; governmental action, including emergency orders or regulations, judicial or law enforcement action, or similar directives; regularly scheduled maintenance, during other than normal business hours of, or updates to, the consumer credit reporting agency's systems; or commercial reasonable maintenance of, or repair to, the consumer credit reporting agency's systems that is unexpected or unscheduled. (R.C. 1349.52(E)(1) and (2).)
The bill requires a consumer reporting agency to remove or temporarily lift a freeze placed on a consumer credit report only in the following cases (R.C. 1349.52(E)(3)):
(1) Upon consumer request as described above;
(2) If the consumer credit report was frozen due to a material misrepresentation of fact by the consumer. If a consumer credit reporting agency intends to remove a security freeze upon a consumer credit report for this reason, the consumer credit reporting agency must notify the consumer in writing at least five business days prior to removing the freeze on the credit report.
The bill requires a consumer credit reporting agency, when required by the "Fair Credit Reporting Act," 84 Stat. 1128 (1970), 15 U.S.C. 1681g(c) to provide a summary of rights, or when receiving a request from a consumer for information about a security freeze, to provide a written notice specified in the bill detailing the consumer's rights with respect to obtaining a security freeze on the consumer's credit report (see COMMENT for specific notice that consumer reporting agency must provide consumer) (R.C. 1349.52(F)).
Except as otherwise provided above under "Temporary removal of security freeze," the bill requires a consumer credit reporting agency to keep a security freeze in place until the consumer requests that the security freeze be removed. A consumer credit reporting agency must remove a security freeze within three business days of receiving a request by telephone or by any other means authorized by the consumer credit reporting agency for removal from the consumer when the consumer provides the following (R.C. 1349.52(G)):
(1) Information generally considered sufficient to identify the consumer;
(2) The unique personal identification number or password provided by the consumer credit reporting agency.
The bill allows a consumer credit reporting agency to release a consumer credit report on which a security freeze has been placed to the following (R.C. 1349.52(H)):
(1) A person, or subsidiary, affiliate, or agent of that person, or an assignee of a financial obligation owing by the consumer to that person, or a prospective assignee of a financial obligation owing by the consumer to that person in conjunction with the proposed purchase of the financial obligation, with which the consumer has or had prior to assignment an account or contract, including a demand deposit account, or to whom the consumer issued a negotiable instrument, for the purposes of reviewing the account or collecting the financial obligation owing for the account, contract, or negotiable instrument (reviewing the account includes activities related to account maintenance, monitoring, credit line increases, and account upgrades or other permissible use);
(2) A subsidiary, affiliate, agent, assignee, or prospective assignee of a person to whom access has been granted, for purposes of facilitating the extension of credit or other permissible use;
(3) Any state or local law enforcement agency, trial court, or private collection agency acting pursuant to a court order, warrant, or subpoena;
(4) Any federal, state, or local governmental entity, agency, or instrumentality that is acting within the entity's, agency's, or instrumentality's authority;
(5) A state or local child support enforcement agency;
(6) A person seeking to use the information contained in the consumer's credit report for the purpose of prescreening pursuant to the "Fair Credit Reporting Act";
(7) Any person or entity administering a credit file monitoring subscription service to which the consumer has subscribed;
(8) Any person or entity providing a consumer with a copy of the consumer's credit report upon the consumer's request;
(9) Any person or entity for use in setting or adjusting a rate, adjusting a claim, or underwriting for insurance purposes;
(10) Any person or entity acting to investigate fraud or acting to investigate or collect delinquent taxes or unpaid court orders provided those responsibilities are consistent with section 1681b of the "Fair Credit Reporting Act."
The bill permits a consumer credit reporting agency to charge a consumer a reasonable fee, not to exceed $5, for placing a security freeze on that consumer's credit report. If the consumer is a victim of identity fraud (R.C. 2913.49), the consumer credit reporting agency cannot charge a fee to place a security freeze on that consumer's credit report, but that consumer must send a copy of the police report related to the identity fraud to the consumer credit reporting agency. The consumer credit reporting agency may charge a reasonable fee, not to exceed $5, to a consumer who elects to remove or temporarily lift a security freeze on that consumer's credit report and may charge a reasonable fee, not to exceed $5, to a consumer who fails to retain the original personal identification number provided by the consumer credit reporting agency and must be reissued the same or a new personal identification number. (R.C. 1349.52(I).)
The bill provides that if a security freeze is in place, a consumer credit reporting agency must not change any of the following official information in a credit report without sending a written confirmation of the change to the consumer within 30 days of the change being posted to the consumer's file (R.C. 1349.52(J)):
(1) Name;
(2) Date of birth;
(3) Social security number;
(4) Address.
Written confirmation is not required for technical modifications of a consumer's official information, including name and street abbreviations, complete spellings, or transposition of numbers or letters. In the case of an address change, the written confirmation must be sent to both the new address and the former address (R.C. 1349.52(J)).
The credit report freeze provisions of the bill do not apply to a consumer credit reporting agency that acts only as a reseller of credit information by assembling and merging information contained in the database of another consumer credit reporting agency or multiple consumer reporting agencies and does not maintain a permanent database of credit information from which new consumer reports are produced, except that the reseller of credit information must honor any security freeze placed on a credit report by another consumer credit reporting agency (R.C. 1349.52(K)).
The following entities are not required to place a security freeze on a credit report (R.C. 1349.52(L)):
(1) A check services company or fraud prevention services company that issues reports on incidents of fraud or authorizations for the purpose of approving or processing negotiable instruments, electronic funds transfers, or similar methods of payment;
(2) A demand deposit account information service company that issues reports, regarding account closures due to fraud, substantial overdrafts, automated teller machine abuse, or similar negative information regarding a consumer, to inquiring banks or other financial institutions for use only in reviewing a consumer request for a demand deposit account at the inquiring bank or financial institution.
The bill permits the Attorney General to conduct an investigation if the Attorney General, based on complaints or the Attorney General's own inquiries, has reason to believe that a consumer credit reporting agency has failed or is failing to comply with the above credit report freeze requirements of the bill, which are in R.C. 1349.52. In any investigation conducted pursuant to this provision, the Attorney General may administer oaths, subpoena witnesses, adduce evidence, and subpoena the production of any book, document, record, or other relevant matter. If the Attorney General subpoenas the production of any relevant matter that is located outside this state, the Attorney General may designate a representative, including an official of the state in which that relevant matter is located, to inspect the relevant matter on the Attorney General's behalf. The Attorney General may carry out similar requests received from officials of other states. (R.C. 1349.52(M)(1), (2), and (3).)
Any person who is subpoenaed to produce relevant matter must make that relevant matter available at a convenient location within this state or the state of the representative designated above. Any person who is subpoenaed as a witness or to produce relevant matter may file in the Franklin County Court of Common Pleas, the county in this state in which the person resides, or the county in this state in which the person's principal place of business is located a petition to extend for good cause shown the date on which the subpoena is to be returned or to modify or quash for good cause shown that subpoena. The person may file the petition at any time prior to the date specified for the return of the subpoena or within 20 days after the service of the subpoena, whichever is earlier. (R.C. 1349.52(M)(4) and (5).)
Any person who is subpoenaed as a witness or to produce relevant matter must comply with the terms of the subpoena unless the court orders otherwise prior to the date specified for the return of the subpoena or, if applicable, that date as extended. If a person fails without lawful excuse to obey a subpoena, the Attorney General may apply to the Court of Common Pleas for an order that does one or more of the following (R.C. 1349.52(M)(6)):
(1) Compels the requested discovery;
(2) Adjudges the person in contempt of court;
(3) Grants injunctive relief to restrain the person from failing to comply with R.C. 1347.12 or 1349.19, whichever is applicable;
(4) Grants injunctive relief to preserve or restore the status quo;
(5) Grants other relief that may be required until the person obeys the subpoena.
The Attorney General has the authority to bring a civil action in a court of common pleas for appropriate relief, including a temporary restraining order, preliminary or permanent injunction, and civil penalties, if it appears that a consumer credit reporting agency has failed or is failing to comply with the above credit report freeze provisions of the bill, which are in R.C. 1349.52. Upon its finding that a consumer credit reporting agency has intentionally or recklessly failed to comply with those provisions, the court must impose a civil penalty upon the consumer credit reporting agency of up to $2,500 for each instance that the consumer credit reporting agency fails to comply (R.C. 1349.52(N)(1)).
Any civil penalty that is assessed must be deposited into the Consumer Protection Enforcement Fund. In determining the appropriate civil penalty to assess, the court must consider all relevant factors, including the degree of the defendant's culpability, any history of prior violations of R.C. 1349.52 by the defendant, the defendant's ability to pay, the effect of the court's decision on the defendant's ability to continue to conduct the defendant's business, and whether or not the defendant acted in bad faith in failing to comply with R.C. 1349.52. (R.C. 1349.52(N)(2) and (3).)
Any consumer reporting agency that is found by the court to have failed to comply with the above provisions of the bill, which are in R.C. 1349.52, is liable to the Attorney General for the Attorney General's costs in conducting an investigation and brining an action (R.C. 1349.52(O)).
The rights and remedies that are provided under R.C. 1349.52 are in addition to any other rights or remedies that are provided by law (R.C. 1349.52(P)).
If a consumer credit reporting agency willfully fails to comply with R.C. 1349.52(C) or (J) (requirement to place security freeze on credit report within three business days, send written confirmation of security freeze within five business days, and provide unique personal ID number or password and prohibition against changing certain official information in frozen credit report without notice), the consumer may file a civil action against the consumer credit reporting agency. In the civil action, the consumer may recover all of the following (R.C. 1349.53(A)):
(1) Actual damages sustained by the consumer as a result of the consumer credit reporting agency's failure to comply with R.C. 1349.52(C) and (J) or damages of not less than $100 and not more than $1,000, whichever is greater;
(2) Punitive damages;
(3) Court costs and reasonable attorney's fees.
A person who obtains a consumer's credit report from a consumer credit reporting agency under false pretenses or knowingly without the permission of the consumer is liable to the consumer credit reporting agency for actual damages sustained by the consumer credit reporting agency or $1,000, whichever is greater (R.C. 1349.53(B)).
If a consumer credit reporting agency negligently fails to comply with R.C. 1349.52(C) or (J), the consumer may file a civil action against the consumer credit reporting agency. In the civil action, the consumer may recover all of the following (R.C. 1349.53(C)):
(1) Actual damages sustained by the consumer as a result of the consumer credit reporting agency's failure to comply with R.C. 1349.52(C) or (J) or as a result of the consumer credit reporting agency negligently allowing another person to obtain a consumer's credit report;
(2) Court costs and reasonable attorney's fees.
If the court finds that a civil action was brought in bad faith or for the purposes of harassment, the court must award to the prevailing party reasonable attorney's fees in relation to the work expended in responding to the civil action (R.C. 1349.53(D)).
A person must bring a civil action not later than the earlier of the following (R.C. 1349.53(E)):
(1) Two years after the date of discovery by the plaintiff of a violation of R.C. 1349.52(C) or (J);
(2) Five years after the date a violation of R.C. 1349.52(C) or (J) occurs.
A consumer credit reporting agency is not liable in damages in a civil action for any damages a consumer allegedly sustains as a result of the consumer credit reporting agency's placement of a security freeze in violation of R.C. 1349.52(C) on the consumer's credit report if the consumer credit reporting agency establishes as an affirmative defense that the consumer credit reporting agency made a good faith effort to comply with that provision and the consumer credit reporting agency placed a security freeze on the consumer's credit report as a result of a misrepresentation of fact by another consumer (R.C. 1349.53(F)).
The bill defines the following terms (R.C. 1349.52(A)) for use in its provisions dealing with credit report security freezes:
(1) "Consumer credit reporting agency" means any person that, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of maintaining consumers' credit information for the purpose of furnishing consumer reports to third parties.
(2) "Credit report" means any written, oral, or other communication of any credit information by a consumer credit reporting agency that operates or maintains a database of consumer credit information bearing on a consumer's credit worthiness, credit standing, or credit capacity.
(3) "Security freeze" means a restriction placed in a consumer's credit report at the request of the consumer that prohibits a consumer credit reporting agency from releasing all or any part of the consumer's credit report or any information derived from the consumer's credit report relating to the extension of credit without authorization from the consumer.
(4) "Other comparable service" means a service for which a receipt of delivery is provided.
The bill requires each public office or person responsible for public records to maintain a database or a list that includes the name and date of birth of all public officials and employees elected to or employed by that public office. The database or list is a public record and must be made available upon a request made pursuant to the Public Records Law (R.C. 149.43). (R.C. 149.434(A).)
The bill prohibits a public office or person responsible for a public office's public records from making available to the general public on the internet any document that contains an individual's social security number without otherwise redacting, encrypting, or truncating the social security number. A public office or person responsible for a public office's public records that prior to the effective date of the provisions of the bill discussed in this paragraph made available to the general public on the internet any document that contains an individual's social security number must redact, encrypt, or truncate the social security number from that document (R.C. 149.45(B)(1) and (2)).
"Trucate" means to redact all but the last four digits of an individual's social security number (R.C. 149.45(A)(3)).
The above-described provisions do not apply to documents that are only accessible through the internet with a password (R.C. 149.45(B)(3)).
The bill defines "personal information" for use in its redaction provisions as any of the following (R.C. 149.45(A)):
(1) An individual's social security number;
(2) An individual's federal tax identification number;
(3) An individual's driver's license number or state identification number;
(4) An individual's checking account number, savings account number, or credit card number.
An individual may request that a public office or a person responsible for a public office's public records redact personal information of that individual from any record made available to the general public on the internet. An individual who makes a request for redaction must make the request in writing on a form developed by the Attorney General and must specify the personal information to be redacted and provide any information that identifies the location of that personal information within a document that contains that personal information. (R.C. 149.45(C)(1).)
Upon receiving a request for a redaction pursuant to the above-described provision, a public office or a person responsible for a public office's public records must act within five business days in accordance with the request to redact the personal information of the individual from any record made available to the general public on the internet if practicable. If a redaction is not practicable, the public office or person responsible for the public office's public records must verbally or in writing within five business days after receiving the written request explain to the individual why the redaction is impracticable. (R.C. 149.45(C)(2).)
The bill requires the Attorney General to develop a form to be used by an individual to request a redaction and requires that the form include a place to provide any information that identifies the location of the personal information to be redacted (R.C. 149.45(C)(3)).
The bill allows a peace officer, parole officer, prosecuting attorney, assistant prosecuting attorney, correctional employee, youth services employee, firefighter, or EMT (hereafter referred to as "protected individual") to request that a public office other than a county auditor or a person responsible for the public records of a public office other than a county auditor redact the address of the person making the request from any record made available to the general public on the internet that includes protected individual residential or familial information of the person making the request. A person who makes a request for a redaction must make the request in writing and on a form developed by the Attorney General. (R.C. 149.45(D)(1).)
Upon receiving a written request for a redaction pursuant to the above-described provision, a public office other than a county auditor or a person responsible for the public records of a public office other than a county auditor must act within five business days in accordance with the request to redact the address of the protected individual making the request from any record made available to the general public on the internet that includes protected individual residential and familial information of the person making the request, if practicable. If a redaction is not practicable, the public office or person responsible for the public office's public records must verbally or in writing within five business days after receiving the written request explain to the protected individual why the redaction is impracticable. (R.C. 149.45(D)(2).)
Generally a public office other than an employer of a protected individual or a person responsible for the public records of the employer is not required to redact the residential and familial information of the protected individual from other records maintained by the public office (R.C. 149.45(D)(3)).
The bill requires the Attorney General to develop a form to be used by a protected individual to request a redaction. The form must include a place to provide any information that identifies the location of the address of a protected individual to be redacted. (R.C. 149.45(D)(4).)
If a public office or a person responsible for a public office's public records becomes aware that an electronic record of that public office that is made available to the general public on the internet contains an individual's social security number that was mistakenly not redacted, encrypted, or truncated, the public office or person responsible for the public office's public records must redact, encrypt, or truncate the individual's social security number within a reasonable period of time (R.C. 149.45(E)(1)).
The bill provides that a public office or a person responsible for a public office's public records is not liable in damages in a civil action for any harm an individual allegedly sustains as a result of the inclusion of that individual's personal information on any record made available to the general public on the internet or any harm a protected individual sustains as a result of the inclusion of the address of the protected individual on any record made available to the general public on the internet in violation of the above-discussed provisions of the bill unless the public office or person responsible for the public office's public records acted with malicious purpose, in bad faith, or in a wanton or reckless manner or R.C. 2744.03(A)(6)(a) or (c) applies (acts or omissions of an employee of a political subdivision were manifestly outside the scope of the employee's employment or official responsibilities or civil liability is expressly imposed upon the employee by a section of the Revised Code) (R.C. 149.45(E)(2)).
Under existing law, generally the preparer of any document to be recorded by a county recorder may not include any individual's social security number and the county recorder may not accept a document for recording if it includes any individual's social security number. If a document presented for recording includes any individual's social security number and the county recorder refuses to accept that document for recording, the county recorder or the person who attempted to file the document with the county recorder may immediately redact the individual's social security number from the document. The bill modifies this provision by instead providing that the preparer of any document to be recorded by a county recorder may not include an individual's personal information (instead of social security number) and makes the necessary changes to personal information throughout the provision. (R.C. 317.082(B).)
Existing law also provides that the preparer is not liable in damages in a civil action for any harm an individual allegedly sustains as a result of the inclusion of the individual's social security number on a document if the preparer establishes as an affirmative defense that the preparer made a good faith effort to comply with the law. The county recorder and the county recorder's employees are also immune from liability in damages in a civil action brought against the county recorder or an employee of the county recorder accepting a document that includes the individual's social security number, unless the county recorder or an employee of the county recorder accepted that document with malicious purpose, in bad faith, or in a wanton or reckless manner, or R.C. 2744.03(A)(6)(a) or (c) applies (acts or omissions of an employee of a political subdivision were manifestly outside the scope of the employee's employment or official responsibilities or civil liability is expressly imposed upon the employee by a section of the Revised Code). The bill removes the reference to social security number and replaces it with personal information. (R.C. 317.082(B).)
Existing law also states that an individual who executes a document that must be filed by a preparer for recording in the office of the county recorder may execute an affidavit consenting to the inclusion of the individual's social security number in the document. If an individual executes an affidavit consenting to the inclusion of the individual's social security number in the document, the provisions of the bill discussed in the prior two paragraphs do not apply to the preparer of the document or to the county recorder and the county recorder's employees. The bill removes social security number and replaces it with personal information. (R.C. 317.082(C).)
Under existing law, R.C. 317.082(B) does not apply to any publicly recorded document that is required by federal or state law to include an individual's social security number. The bill adds personal information to this provision. (R.C. 317.082(D)(3).)
The bill provides that R.C. 317.082, as amended by the bill (the provisions discussed in the above four paragraphs), does not apply to documents that were executed by an individual on or after September 28, 2006, and prior to the effective date of the bill (R.C. 317.082(E)(2)).
Existing law requires the county auditor, on or before the first Monday of August, annually, to compile and make up a general tax list of real and public utility property in the county and requires this list be prepared in duplicate (R.C. 319.28). The bill allows a protected individual (see redaction provisions above for meaning of this term) to submit a written request by affidavit to the county auditor requesting the county auditor to remove the name of the protected individual from the general tax list of real and public utility property and the general duplicate of real and public utility property and insert the initials of the protected individual on the general tax list of real and public utility property and the general duplicate of real and public utility property as the name of the protected individual that appears on the deed (R.C. 319.28(B)(1)).
Upon receiving a written request by affidavit described above, the county auditor must act within five business days in accordance with the request to remove the name of the protected individual from the general tax list of real and public utility property and the general duplicate of real and public utility property and insert the initials of the protected individual on the general tax list of real and public utility property and the general duplicate of real and public utility property, if practicable. If the removal and insertion is not practicable, the county auditor must verbally or in writing within five business days after receiving the written request explain to the protected individual why the removal and insertion is impracticable. (R.C. 319.28(B)(2).)
Existing law requires the county auditor to charge and receive certain fees, including fees for deeds of land sold for taxes to be paid by the purchaser (R.C. 319.54). Existing law also provides for certain situations where the county auditor may not charge a fee, including when a transfer of real property is made to confirm or correct a deed previously executed and recorded. The bill provides that the county auditor cannot charge a fee when a current owner on the general tax list of real and public utility property and the general duplicate of real and public utility property is a protected individual (see redaction provisions above for meaning of this term) and is changing the current owner name listed on the general tax list of real and public utility property and the general duplicate of real and public utility property to the initials of the current owner. (R.C. 319.54(G)(3)(c).)
The bill prohibits the Secretary of State from accepting a document for filing or recording if the document includes any individual's social security number or federal tax identification number. If a document presented for filing or recording includes any individual's social security number or federal tax identification number and the Secretary of State refuses to accept that document for filing or recording, the Secretary of State or the person who attempted to file or record the document with the Secretary of State may immediately redact the individual's social security number or federal tax identification number from the document. (R.C. 111.241(A).)
The bill provides that the above-described provisions does not apply to either of the following (R.C. 111.241(B)):
(1) Any document that originates with any court or taxing authority;
(2) Any publicly recorded document that is required by federal or state law to include an individual's social security number or federal tax identification number.
The bill provides that the above-described provisions do not apply to documents that were executed by an individual prior to the effective date of the provisions (R.C. 111.241(C)).
R.C. 125.18 creates the Office of Information Technology. The Director of the Office of Information Technology leads, oversees, and directs state agency activities related to information technology development and use. The bill requires the Director to do the following:
(1) Establish policies and procedures for the security of personal information that is maintained and destroyed by state agencies;
(2) Employ a Chief Information Security Officer who is responsible for the implementation of the policies and procedures described in the prior paragraph and for coordinating the implementation of those policies and procedures in all of the state agencies;
(3) Employ a Chief Privacy Officer who is responsible for advising the Office of Information Technology and state agencies when establishing policies and procedures for the security of personal information and developing education and training programs regarding the state's security procedures.
The bill also requires the Chief Information Security Officer to assist each state agency with the development of an information technology security strategic plan and review that plan, and requires each state agency to submit that plan to the Office of Information Technology. The Chief Information Security Officer may require that each state agency update its information technology security strategic plan annually as determined by the chief information officer. (R.C. 125.18(D)(1).) Prior to the implementation of any information technology data system, a state agency must prepare or have prepared a privacy impact statement for that system (R.C. 125.18(D)(2)).
Existing law provides that an action for relief on the ground of fraud must be brought within four years after the fraud accrued. Under the bill, if the cause of action is identity fraud, the action must be brought within five years after identity fraud accrued. (R.C. 2305.09(C).)
Under current law, if the period of limitation for a felony (six years), a misdemeanor other than a minor misdemeanor (two years), or a minor misdemeanor (six months) or a prosecution for certain specified offenses (20 years) has expired, prosecution must be commenced for an offense of which an element is fraud or breach of fiduciary duty, within one year after discovery of the offense either by an aggrieved person, or by the aggrieved person's legal representation who is not a party to the offense. The bill provides that if the period of limitation described above has expired, prosecution for identity fraud must be commenced within five years after discovery of the offense either by an aggrieved person or the aggrieved person's legal representation who is not a party to the offense (R.C. 2901.13(B)).
The bill requires the Attorney General to cooperate with and provide technical assistance to any local law enforcement agency in the state, upon that agency's request, with respect to enforcement of identity fraud crimes (R.C. 109.941).
COMMENT
Below is the notice that a consumer credit reporting agency must provide a consumer when required to do so by the "Fair Credit Reporting Act" or when a consumer makes a request for information about a security freeze (R.C. 1349.52(F)):
"Ohio Consumers Have the Right to Obtain a Security Freeze:
You may obtain a security freeze on your credit report to protect your privacy and ensure that credit is not granted in your name without your knowledge. You have a right to place a "security freeze" on your credit report pursuant to Ohio law. The security freeze will prohibit a consumer credit reporting agency from releasing any information in your credit report without your express authorization or approval. The security freeze is designed to prevent credit, loans, and services from being approved in your name without your consent. When you place a security freeze on your credit report, within five business days you will be provided a personal identification number or password to use if you choose to authorize the release of your credit report for a specific party or parties or for a specific period of time after the freeze is in place. To provide that authorization, you must contact the consumer credit reporting agency and provide all of the following:
(1) Information generally considered sufficient to identify the consumer;
(2) The unique personal identification number or password provided by the consumer credit reporting agency;
(3) The proper information regarding the third party who is to receive the consumer credit report or the time period for which the credit report shall be available to users of the credit report.
A consumer credit reporting agency that receives a request from a consumer to temporarily lift a freeze on a credit report shall comply with the request not later than 15 minutes after receiving the request.
A security freeze does not apply to circumstances in which you have an existing account relationship and a copy of your report is requested by your existing creditor or its agents or affiliates for certain types of account review, collection, fraud control, or similar activities.
If you are actively seeking credit, you should understand that the procedures involved in lifting a security freeze may slow your own application for credit. You should plan ahead and lift a freeze, either completely if you are shopping around, or specifically for a certain creditor, a few days before actually applying for new credit."
HISTORY
|
ACTION |
DATE |
|
|
|
|
Introduced |
02-20-07 |
|
Reported,
H. Financial Institutions, Real |
|
|
Passed House (94-4) |
05-22-07 |
|
Reported, S. Judiciary - Civil Justice |
--- |
H0046-rs-127.doc/ss
* This analysis was prepared before the
report of the Senate Judiciary - Civil Justice Committee appeared in the Senate
Journal. Note that the list of
co-sponsors and the legislative history may be incomplete.