Bill Number: OK51RHB 1382 Filed: 01-19-2007
Author: Ingmire
STATE OF OKLAHOMA
1 1st Session of the 51st Legislature (2007)
2 HOUSE BILL 1382 By: Ingmire
3 AS INTRODUCED
4 An Act relating to crimes and punishments; creating
5 the Identity Theft Protection Act; authorizing
6 preparation and filing of identity theft incident
7 report; directing copy of report be provided to
8 victim; allowing report to be shared with other
9 jurisdictions; defining term; providing certain
10 exception for identity theft incident reports;
11 prohibiting certain acts by persons or entities;
12 providing exceptions; providing penalty; authorizing
13 filing of civil suit; defining terms; requiring
14 businesses to use reasonable measures to protect
15 certain information; stating reasonable measures;
16 requiring written policy for destruction or disposal
17 of records; providing penalty; authorizing filing of
18 civil suit; providing severability clause; providing
19 for codification; providing for noncodification; and
20 providing an effective date.
21 BE IT ENACTED BY THE PEOPLE OF THE STATE OF OKLAHOMA:
22 SECTION 1. NEW LAW A new section of law not to be
23 codified in the Oklahoma Statutes reads as follows:
24 Sections 1 through 5 of this act shall be known and may be
1
1 cited as the Identity Theft Protection Act.
2 SECTION 2. NEW LAW A new section of law to be codified
3 in the Oklahoma Statutes as Section 1533.3 of Title 21, unless there
4 is created a duplication in numbering, reads as follows:
5 A. Notwithstanding the fact that jurisdiction may lie
6 elsewhere for investigation and prosecution of a crime of identity
7 theft, victims of identity theft may contact the local law
8 enforcement agency where the victim is domiciled and request that an
9 incident report about the identity theft be prepared and filed. The
10 local law enforcement agency that prepares and files the incident
11 report shall, upon request, provide the victim with a copy of the
12 incident report. The law enforcement agency may share the incident
13 report with law enforcement agencies located in other jurisdictions.
14 For purposes of this section, "incident report" means a loss or
15 other similar report prepared and filed by a local law enforcement
16 agency.
17 B. Nothing in this section shall interfere with the
18 discretion of a local law enforcement agency to allocate resources
19 for investigations of crimes. An incident report prepared and filed
20 under this section is not required to be counted as an open case for
21 purposes such as compiling open case statistics.
22 SECTION 3. NEW LAW A new section of law to be codified
23 in the Oklahoma Statutes as Section 1533.4 of Title 21, unless there
24 is created a duplication in numbering, reads as follows:
25 A. Except as provided for in subsection B of this section, a
26 person or entity, including a state or local agency, shall not do
27 any of the following:
2
1 1. Intentionally communicate or otherwise make available to
2 the general public the Social Security number of an individual;
3 2. Print the Social Security number on any card provided to
4 the individual and required for the individual to access products or
5 services provided by the person or entity;
6 3. Require an individual to transmit his or her Social
7 Security number over the Internet, unless the connection is secure
8 or the Social Security number is encrypted by the use of an
9 algorithmic process to transform data into a form in which there is
10 a low probability of assigning meaning without use of a confidential
11 process or key;
12 4. Require an individual to use his or her Social Security
13 number to access an Internet web site, unless a password or unique
14 personal identification number or other authentication device is
15 also required to access the Internet web site;
16 5. Print the Social Security number of an individual on any
17 materials that are mailed to the individual, unless state or federal
18 law requires the Social Security number to be on the document to be
19 mailed. Notwithstanding this paragraph, Social Security numbers may
20 be included in applications and forms sent by mail, including
21 documents sent as part of an application or enrollment process, or
22 to establish, amend, update, or terminate an account, contract, or
23 policy, or to confirm the accuracy of Social Security numbers. A
24 Social Security number that is permitted to be mailed under this
25 section may not be printed, in whole or in part, on a postcard or
26 other mailer not requiring an envelope, or visible on the envelope
27 or without the envelope having been opened; and
3
1 6. Sell, lease, loan, trade, rent, or otherwise disclose the
2 Social Security number of an individual to a nonaffiliated third
3 party for any purpose without written consent, or electronic consent
4 provided by means of a confidential personalized digital key, code,
5 or number used for secure electronic transmissions which identifies
6 and authenticates the signatory, to the disclosure from the
7 individual, unless such transaction is done for a lawful purpose.
8 The provisions of this paragraph do not apply to financial
9 institutions as defined by 15 United States Code, Section 6809(3),
10 officers, directors, or employees of the institution, a consumer
11 reporting agency as defined by 15 U.S.C., Sections 1681a(f),
12 officers, directors, or employees of the agency, or a licensee as
13 defined by Section 365:35-1-4(17) of the Oklahoma Administrative
14 Code.
15 B. This section shall not apply to documents that are
16 recorded or required to be open to the public pursuant to the
17 Oklahoma Open Records Act, Sections 24A.1 through 24A.29 of Title 51
18 of the Oklahoma Statutes.
19 C. This section does not prohibit the collection, use, or
20 release of a Social Security number as otherwise expressly permitted
21 by the laws of the State of Oklahoma or the United States, or the
22 use of a Social Security number for internal verification or
23 administrative purposes.
24 D. Any person who knowingly violates the provisions of this
25 section shall, upon conviction, be guilty of a felony punishable by
26 a fine of not less than Five Thousand Dollars ($5,000.00), or
27 imprisonment in the county jail for not more than ninety (90) days,
4
1 or by both such fine and imprisonment.
2 E. An individual may bring a civil action against a person
3 who has violated the provisions of this section and may recover
4 actual damages, plus costs and reasonable attorney fees.
5 F. As used in this section, nonaffiliated third party means
6 any business that is not officially associated or attached to that
7 business.
8 SECTION 4. NEW LAW A new section of law to be codified
9 in the Oklahoma Statutes as Section 1533.5 of Title 21, unless there
10 is created a duplication in numbering, reads as follows:
11 A. For purposes of Sections 3 and 4 of this act:
12 1. "Business" means sole proprietorship, partnership,
13 corporation, association, or other group, however organized and
14 whether or not organized, to operate at a profit. Business does
15 not mean a financial institution as defined by 15 U.S.C., Section
16 6809(3), officer, director, or employee of the institution, or a
17 licensee as defined by Section 365:35-1-4(17) of the Oklahoma
18 Administrative Code. The term business also includes an entity
19 that destroys records;
20 2. "Dispose" includes:
21 a. the discarding or abandonment of records containing
22 personal information, and
23 b. the sale, donation, discarding or transfer of any
24 medium, including computer equipment or computer media containing
25 records of personal information, or other nonpaper media upon which
26 records of personal information is stored, or other equipment for
27 nonpaper storage of information;
5
1 3. "Personal information" means any information that
2 identifies, relates to, describes, or is capable of being associated
3 with a particular individual including, but not limited to:
4 a. a name,
5 b. signature,
6 c. Social Security number,
7 d. fingerprint,
8 e. photograph or computerized image,
9 f. physical characteristics or description,
10 g. address,
11 h. telephone number,
12 i. passport number,
13 j. driver license or state identification card number,
14 k. date of birth,
15 l. medical information,
16 m. bank account number,
17 n. credit card number,
18 o. debit card number, or
19 p. any other financial information; and
20 4. "Records" means any material on which written, drawn,
21 spoken, visual or electromagnetic information is recorded or
22 preserved, regardless of physical form or characteristics.
23 "Records" does not include publicly available directories containing
24 information an individual has voluntarily consented to have publicly
25 disseminated or listed, such as name, address, or telephone number.
26 B. Any business that conducts business in Oklahoma and any
27 business that maintains or otherwise possesses personal information
6
1 of residents of Oklahoma shall take all reasonable measures to
2 protect against unauthorized access to or use of the information in
3 connection with, or after its disposal. The reasonable measures
4 must include, but may not be limited to:
5 1. Implementing and monitoring compliance with policies and
6 procedures that require the burning, pulverizing, or shredding of
7 papers containing personal information so that the information
8 cannot practicably be read or reconstructed;
9 2. Implementing and monitoring compliance with policies and
10 procedures that require the destruction or erasure of electronic
11 media and other nonpaper media containing personal information so
12 that the information cannot practicably be read or reconstructed;
13 3. After due diligence, entering into and monitoring
14 compliance with a written contract with another party engaged in the
15 business of record destruction to dispose of personal information in
16 a manner consistent with this act. Due diligence should ordinarily
17 include, but may not be limited to, one or more of the following:
18 a. reviewing an independent audit of the operations of
19 the disposal company or its compliance with this section or its
20 equivalent,
21 b. obtaining information about the disposal company from
22 several references or other reliable sources and requiring that the
23 disposal company be certified by a recognized trade association or
24 similar third party with a reputation for high standards of quality
25 review, or
26 c. reviewing and evaluating the information security
27 policies or procedures of the disposal company, or taking other
7
1 appropriate measures to determine the competency and integrity of
2 the disposal company; and
3 4. For disposal companies explicitly hired to dispose of
4 records containing personal information, implementing and monitoring
5 compliance with policies and procedures that protect against
6 unauthorized access to or use of personal information during or
7 after the collection, transportation, and disposing of the
8 information in accordance with paragraphs 1 and 2 of subsection B of
9 this section.
10 C. Procedures relating to the adequate destruction or proper
11 disposal of personal records must be comprehensively described and
12 classified as official policy in the writings of the business
13 entity, including corporate and employee handbooks and similar
14 corporate documents.
15 D. Any person or business that violates this section may be
16 subject to a fine not to exceed Three Thousand Dollars ($3,000.00)
17 for each offense.
18 E. An individual aggrieved by a violation of this section may
19 bring a civil action against the person or business to enjoin
20 further violations of this act and may recover actual damages,
21 costs, and reasonable attorney fees.
22 SECTION 5. NEW LAW A new section of law to be codified
23 in the Oklahoma Statutes as Section 1533.6 of Title 21, unless there
24 is created a duplication in numbering, reads as follows:
25 The provisions of this act are severable and if any part or
26 provision shall be held void, the decision of the court so holding
27 shall not affect or impair any of the remaining parts or provisions
8
1 of this act.
2 SECTION 6. This act shall become effective November 1, 2007.
3 51-1-5930 GRS 12/15/06
4 Page 1
5 Req. No. 5930
9