Tennessee Identity Theft Deterrence
Tenn. Code Ann. § 47-18-2101
TN - Tennessee Code Annotated
Title 47 Commercial Instruments And Transactions
Chapter 18 Consumer Protection
Part 21 Identity Theft Deterrence
47-18-2101. Short title.
47-18-2102. Definitions.
47-18-2103. Prohibited practices.
47-18-2104. Private rights of action.
47-18-2105. Civil penalties and remedies.
47-18-2106. Violation of Tennessee Consumer Protection Act.
47-18-2107. Release of personal consumer information.
47-18-2108. Security freeze at the request of the consumer.
47-18-2109. Notice to consumer regarding security freeze.
47-18-2110. Protecting social security numbers from disclosure.
47-18-2111. Protected consumer security freeze.
47-18-2101. Short title.
This part shall be known and may be cited as the “Tennessee Identity Theft Deterrence Act of 1999.”
History
Acts 1999, ch. 201, § 2.
47-18-2102. Definitions.
As used in this part and in the Tennessee Consumer Protection Act of 1977, compiled in part 1 of this chapter, unless the context otherwise requires:
(1) “Ascertainable loss” means an identifiable deprivation, detriment or injury arising from the identity theft or from any unfair, misleading or deceptive act or practice even when the precise amount of the loss is not known. Whenever a violation of this part has occurred, an ascertainable loss shall be presumed to exist;
(2) “Attorney general” means the office of the Tennessee attorney general and reporter;
(3) “Consumer report” has the meaning ascribed to that term by 15 U.S.C. § 1681a(d);
(4) “Consumer reporting agency” has the meaning ascribed to that term by 15 U.S.C. § 1681a(f);
(5) “Financial document” means any credit card, debit card, check or checking account information or number, savings deposit slip or savings account information or number, or similar financial account or account number, including but not limited to, a money market account, certificate of deposit, or other type of interest generating account with a bank, savings and loan or credit union account, or any other financial institution, mutual fund account, 401K account, individual retirement account, retirement account, or other stock account information, savings bond or other bond, credit line, equity line or other line of credit which the possessor of the account has the right to draw against;
(6) “Identification documents” means any card, certificate or document which identifies or purports to identify the bearer of such document, whether or not intended for use as identification, and includes, but is not limited to, documents purporting to be a driver license, nondriver identification cards, birth certificates, marriage certificates, divorce certificates, passports, immigration documents, social security cards, employee identification cards, cards issued by the government to provide benefits of any sort, health care benefit cards, or health benefit organization, insurance company or managed care organization cards for the purpose of identifying a person eligible for services;
(7) “Identity theft” means:
(A) Obtaining, possessing, transferring, using or attempting to obtain, possess, transfer or use, for unlawful economic benefit, one (1) or more identification documents or personal identification numbers of another person; or
(B) Otherwise obtaining, possessing, transferring, using or attempting to obtain, possess, transfer or use, for unlawful economic benefit, one (1) or more financial documents of another person;
(8) “Person” means a natural person, consumer, individual, governmental agency, partnership, corporation, trust, estate, incorporated or unincorporated association, and any other legal or commercial entity however organized;
(9) “Personal identification number” means any number that is assigned by the government to identify a particular person, including, but not limited to, social security number, federal tax payer identification number, Medicaid, Medicare or TennCare number which identifies a particular person eligible for benefits, any number assigned to a person as part of a licensure or registration process, such as a board of professional responsibility number, driver license number and passport number and any number assigned by an insurance company, health maintenance organization, managed care organization or other health benefit organization, for the purposes of identifying a particular person eligible for services; and
(10) “Tennessee Consumer Protection Act” means the Tennessee Consumer Protection Act of 1977, as amended, compiled in part 1 of this chapter and related statutes. Related statutes specifically include any statute that indicates within the law, regulation or rule that a violation of that law, regulation or rule is a violation of the Tennessee Consumer Protection Act of 1977. Without limiting the scope of this definition, related statutes include, but are not limited to: § 47-18-120; part 3 of this chapter; part 5 of this chapter; Home Solicitations Sales Act of 1974, compiled in part 7 of this chapter; Tennessee Credit Services Businesses Act, compiled in part 10 of this chapter; Consumer Telemarketing Protection Act of 1990, compiled in part 15 of this chapter; Unsolicited Telefacsimile Advertising Act [repealed]; Tennessee Employment Agency Act, compiled in part 17 of this chapter; and Membership Camping Act, compiled in title 66, chapter 32, part 3.
History
Acts 1999, ch. 201, § 3; 2007, ch. 170, § 2; 2019, ch. 459, § 37.
47-18-2103. Prohibited practices.
It is unlawful for any person to directly or indirectly:
(1) Engage in identity theft; or
(2) Engage in any unfair, deceptive, misleading act or practice for the purpose of directly or indirectly engaging in identity theft.
History
Acts 1999, ch. 201, § 4.
47-18-2104. Private rights of action.
(a) Any party commencing a private action pursuant to this part must provide a copy of the complaint and all other initial pleadings to the attorney general and upon entry of any judgment, order or decree of the action, shall mail a copy of such judgment, order or decree to the attorney general within five (5) days of entry of the judgment, order or decree.
(b) A copy of any notice of appeal shall be served by the appellant upon the attorney general, who in the public interest may intervene.
(c) A private action to enforce any liability created under this part may be brought within two (2) years from the date the liability arises, except that where a defendant has concealed the liability to that person, under this part, the action may be brought within two (2) years after discovery by the person of the liability. No action brought by the attorney general shall be subject to the limitation of actions contained herein.
(d) In any private action commenced under this part, if the private party establishes that identity theft was engaged in willfully or knowingly, the court may award three (3) times the actual damages and may provide such other relief as it considers necessary and proper.
(e) The action may be brought in a court of competent jurisdiction in the county where the identity theft or unfair, deceptive or misleading act or practice took place, is taking place, or is about to take place, or in the county in which such person resides, has such person's principal place of business, conducts, transacts, or has transacted business, or, if the person cannot be found in any of the foregoing locations, in the county in which such person can be found.
(f) Without regard to any other remedy or relief to which a person is entitled, anyone affected by a violation of this part may bring an action to obtain a declaratory judgment that the act or practice violates this part and to enjoin the person who has violated, is violating, or who is otherwise likely to violate this part; provided, that such action shall not be filed once the attorney general has commenced a proceeding pursuant to this part or the Tennessee Consumer Protection Act.
(g) Upon a finding by the court that a provision of this part has been violated, the court may award to the person bringing such action reasonable attorneys' fees and costs.
History
Acts 1999, ch. 201, § 5; 2019, ch. 459, § 38.
47-18-2105. Civil penalties and remedies.
(a)
(1) Whenever the attorney general has reason to believe that a person has engaged in, is engaging in, or based upon information received from another law enforcement agency, is about to engage in any unlawful act or practice under this part and that proceedings would be in the public interest, the attorney general may bring an action in the name of the state against the person to restrain by temporary restraining order, temporary injunction, or permanent injunction the use of such act or practice. Additionally, the state may request an asset freeze or any other appropriate and necessary orders against such person.
(2) As part of any action brought pursuant to subdivision (a)(1), the attorney general shall certify that the division of consumer affairs complied with § 47-18-5002(2) unless the attorney general determines that the purposes of this part will be substantially impaired by delaying legal proceedings.
(b) The action may be brought in the chancery or circuit court in Davidson County or in a court of competent jurisdiction where the alleged violation of this part, identity theft, unfair, misleading or deceptive act or practice took place or is about to take place or in the county in which the person resides, has the person's principal place of business, conducts, transacts or has transacted business or, if the person cannot be found, in any of the locations listed in this subsection (b), in the county in which the person can be found.
(c) The courts are authorized to issue orders and injunctions to restrain and prevent violations of this part or issue any other necessary or appropriate relief or orders. Such orders and injunctions shall be issued without bond to the state of Tennessee.
(d) Notwithstanding any other law, a violation of this part shall be punishable by a civil penalty of whichever of the following is greater: ten thousand dollars ($10,000), five thousand dollars ($5,000) per day for each day that a person's identity has been assumed or ten (10) times the amount obtained or attempted to be obtained by the person using the identity theft. This civil penalty is supplemental, cumulative and in addition to any other penalties and relief available under the Tennessee Consumer Protection Act, or other laws, regulations or rules.
(e) In any successful action commenced under this part, any ascertainable loss that a person has incurred as a result of a violation of this part, including, but not limited to, the identity theft or misleading, deceptive or unfair practices used to engage in violations of this part shall be recovered as restitution for each such person. The person shall also be awarded statutory interest on that ascertainable loss.
(f) In any successful action commenced by the attorney general under this part, the court shall also order reimbursement to the attorney general of the reasonable attorneys' fees, costs and expenses of the investigation and prosecution under this part.
(g) No court costs, litigation costs, discretionary costs or attorneys' fees shall be taxed or awarded against the state in an action commenced under this part or under the Tennessee Consumer Protection Act.
(h) Any knowing or willful violation of the terms of an injunction or order issued pursuant to this part in an action commenced by the attorney general shall be punishable by a civil penalty of not more than five thousand dollars ($5,000) for each and every violation of the order recoverable by the state, in addition to any other appropriate relief, including, but not limited to, contempt sanctions and the awarding of attorneys' fees and costs to the state for any filings relating to violations of any order under this part.
(i) An order or judgment issued as a result of an action commenced by the attorney general shall in no way affect individual rights of action which may exist independent of the recovery of money or property received under such order or judgment. If a particular person receives restitution as a result of an action commenced by the attorney general, those funds shall act only as a set-off against any award of money received in the person's private right of action proceedings.
History
Acts 1999, ch. 201, § 6; 2007, ch. 170, §§ 7-9; 2019, ch. 459, §§ 39-41.
47-18-2106. Violation of Tennessee Consumer Protection Act.
(a) A violation of this part constitutes a violation of the Tennessee Consumer Protection Act.
(b) For the purpose of application of the Tennessee Consumer Protection Act, any violation of this part shall be construed to constitute an unfair or deceptive act or practice affecting trade or commerce and subject to the penalties and remedies as provided in that act, in addition to the penalties and remedies set forth in this part.
(c) If the attorney general has reason to believe that a person has violated this part, then the attorney general may institute a proceeding under this chapter.
History
Acts 1999, ch. 201, § 7; 2019, ch. 459, § 42.
47-18-2107. Release of personal consumer information.
(a) As used in this section:
(1) “Breach of system security”:
(A) Means the acquisition of the information set out in subdivision (a)(1)(A)(i) or (a)(1)(A)(ii) by an unauthorized person that materially compromises the security, confidentiality, or integrity of personal information maintained by the information holder:
(i) Unencrypted computerized data; or
(ii) Encrypted computerized data and the encryption key; and
(B) Does not include the good faith acquisition of personal information by an employee or agent of the information holder for the purposes of the information holder if the personal information is not used or subject to further unauthorized disclosure;
(2) “Encrypted” means computerized data that is rendered unusable, unreadable, or indecipherable without the use of a decryption process or key and in accordance with the current version of the Federal Information Processing Standard (FIPS) 140-2;
(3) “Information holder” means any person or business that conducts business in this state, or any agency of this state or any of its political subdivisions, that owns or licenses computerized personal information of residents of this state;
(4) “Personal information”:
(A) Means an individual's first name or first initial and last name, in combination with any one (1) or more of the following data elements:
(i) Social security number;
(ii) Driver license number; or
(iii) Account, credit card, or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account; and
(B) Does not include information that is lawfully made available to the general public from federal, state, or local government records or information that has been redacted, or otherwise made unusable; and
(5) “Unauthorized person” includes an employee of the information holder who is discovered by the information holder to have obtained personal information with the intent to use it for an unlawful purpose.
(b) Following discovery or notification of a breach of system security by an information holder, the information holder shall disclose the breach of system security to any resident of this state whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure must be made no later than forty-five (45) days from the discovery or notification of the breach of system security, unless a longer period of time is required due to the legitimate needs of law enforcement, as provided in subsection (d).
(c) Any information holder that maintains computerized data that includes personal information that the information holder does not own shall notify the owner or licensee of the information of any breach of system security if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure must be made no later than forty-five (45) days from the discovery or notification of the breach of system security, unless a longer period of time is required due to the legitimate needs of law enforcement, as provided in subsection (d).
(d) The notification required by this section may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation. If the notification is delayed, it must be made no later than forty-five (45) days after the law enforcement agency determines that notification will not compromise the investigation.
(e) For purposes of this section, notice may be provided by one (1) of the following methods:
(1) Written notice;
(2) Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. § 7001 or if the information holder's primary method of communication with the resident of this state has been by electronic means; or
(3) Substitute notice, if the information holder demonstrates that the cost of providing notice would exceed two hundred fifty thousand dollars ($250,000), that the affected class of subject persons to be notified exceeds five hundred thousand (500,000) persons, or the information holder does not have sufficient contact information and the notice consists of all of the following:
(A) Email notice, when the information holder has an email address for the subject persons;
(B) Conspicuous posting of the notice on the information holder's website, if the information holder maintains a website page; and
(C) Notification to major statewide media.
(f) Notwithstanding subsection (e), if an information holder maintains its own notification procedures as part of an information security policy for the treatment of personal information and if the policy is otherwise consistent with the timing requirements of this section, the information holder is in compliance with the notification requirements of this section, as long as the information holder notifies subject persons in accordance with its policies in the event of a breach of system security.
(g) If an information holder discovers circumstances requiring notification pursuant to this section of more than one thousand (1,000) persons at one (1) time, the information holder must also notify, without unreasonable delay, all consumer reporting agencies, as defined by 15 U.S.C. § 1681a, and credit bureaus that compile and maintain files on consumers on a nationwide basis, of the timing, distribution, and content of the notices.
(h) Any customer of an information holder who is a person or business entity, but who is not an agency of this state or any political subdivision of this state, and who is injured by a violation of this section, may institute a civil action to recover damages and to enjoin the information holder from further action in violation of this section. The rights and remedies available under this section are cumulative to each other and to any other rights and remedies available under law.
(i) This section does not apply to any information holder that is subject to:
(1) Title V of the Gramm-Leach-Bliley Act of 1999 (Pub. L. No. 106-102); or
(2) The Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. § 1320d et seq.), as expanded by the Health Information Technology for Clinical and Economic Health Act (42 U.S.C. § 300jj et seq., and 42 U.S.C. § 17921 et seq.).
History
Acts 2005, ch. 473, § 1; 2016, ch. 692, §§ 1-4; 2017, ch. 91, § 1.
47-18-2108. Security freeze at the request of the consumer.
(a) A Tennessee consumer may place a security freeze on the consumer report of the Tennessee consumer by making a request in writing by certified mail. Beginning on January 31, 2009, a credit reporting agency shall make available an electronic method for requesting a security freeze. A security freeze shall prohibit the consumer reporting agency from releasing the requesting party's consumer report or credit score relating to the extension of credit without the express authorization of the Tennessee consumer. Nothing in this section shall prevent a consumer reporting agency from advising a third party that a security freeze is in effect with respect to a particular consumer report.
(b) A consumer reporting agency shall place a security freeze on a consumer report no later than three (3) business days after receiving the written or electronic request from the Tennessee consumer.
(c) The consumer reporting agency shall send a written confirmation of the security freeze to the Tennessee consumer within ten (10) business days of placing the security freeze on the consumer report, and shall provide the Tennessee consumer with a unique personal identification number or password, other than the Tennessee consumer's federal social security number, to be used by the Tennessee consumer when providing authorization for the release of the consumer report for a specific period of time or for permanently removing the security freeze.
(d) If the Tennessee consumer wishes to allow the consumer report to be accessed for a specific period of time while a freeze is in place, the Tennessee consumer shall contact the consumer reporting agency, request that the freeze be temporarily lifted, and provide the following:
(1) Proper identification;
(2) The unique personal identification number or password provided by the consumer reporting agency to the Tennessee consumer pursuant to this section; and
(3) The information requested by the consumer reporting agency about the period for which the consumer report is to be available.
(e) A consumer reporting agency shall develop procedures involving the use of telephone, the Internet, or other electronic method to receive and process a request from a Tennessee consumer to temporarily lift a freeze on a credit report pursuant to this section in an expedited manner. A consumer reporting agency may develop procedures involving the use of facsimile for this purpose.
(f) A consumer reporting agency shall comply with a request to temporarily lift a freeze previously placed on a consumer report no later than fifteen (15) minutes after receiving the request through an electronic contact method in accordance with this section and the request is received between six o'clock a.m. (6:00 a.m.) and nine-thirty p.m. (9:30 p.m.), seven (7) days per week, eastern or central standard or daylight time as applicable to the consumer. In requesting a temporary removal of the security freeze, a Tennessee consumer shall provide both of the following:
(1) Proper identification; and
(2) The unique personal identification number or password provided by the consumer reporting agency to the Tennessee consumer pursuant to this section.
(g) A consumer reporting agency is not required to temporarily lift a security freeze within the time provided in subsection (f) if:
(1) The consumer fails to meet the requirements of subsection (d); or
(2) The consumer reporting agency's ability to temporarily lift the security freeze within fifteen (15) minutes is prevented by:
(A) An act of God, including fire, earthquakes, hurricanes, storms, or similar natural disaster or phenomenon;
(B) Unauthorized or illegal acts by a third party, including terrorism, sabotage, riot, vandalism, labor strikes or disputes disrupting operations, or similar occurrence;
(C) Operational interruption including electrical failure, unanticipated delay in equipment or replacement part delivery, computer hardware or software failures inhibiting response time, or similar disruption;
(D) Governmental action, including emergency orders or regulations, judicial or law enforcement action, or similar directives;
(E) Regularly scheduled maintenance, during other than normal business hours, of, or updates to, the consumer reporting agency's systems; or
(F) Commercially reasonable maintenance of or repair to, the consumer reporting agency's systems that is unexpected or unscheduled.
(h) If a third party requests access to a consumer report on which a security freeze is in effect and the Tennessee consumer does not allow the third party access to the consumer report, the third party may treat any applicable credit application made by the consumer as incomplete.
(i) If a Tennessee consumer requests a security freeze pursuant to this section, the consumer reporting agency shall disclose to the Tennessee consumer the process of placing and temporarily lifting a security freeze and the process for allowing access to information from the consumer report for a specific period of time while the security freeze is in place.
(j) Except as provided in subsections (d), (e), and (f), a security freeze shall remain in place until the Tennessee consumer requests that the security freeze be removed permanently. A consumer reporting agency shall permanently remove a security freeze no later than two (2) business days from the receipt of a request by the agency when a Tennessee consumer makes the request by means involving the use of telephone, the Internet, or other electronic media as provided by the consumer reporting agency. In making the request, the Tennessee consumer shall provide both of the following:
(1) Proper identification; and
(2) The unique personal identification number or password provided by the consumer reporting agency to the Tennessee consumer pursuant to this section.
(k) If a security freeze is in place, a consumer credit reporting agency shall not change any of the following official information in a consumer credit report without sending a written confirmation of the change to the consumer not later than thirty (30) days of the change being posted to the consumer's file: name, date of birth, social security number, and address. Written confirmation is not required for technical modifications of a consumer's official information, including name and street abbreviations, complete spellings or transposition of numbers or letters. In the case of an address change, the written confirmation shall be sent to both the new address and to the former address.
(l) A consumer report agency shall not charge a Tennessee consumer to place, temporarily lift, or permanently remove a security freeze.
(m) This section, including the security freeze, does not apply to the use of a consumer report by the following:
(1) A person, or that person's subsidiary, affiliate, agent or assignee, if the Tennessee consumer has an account, contract, or debtor-creditor relationship with that person, for the purposes of reviewing the account, collecting the financial obligation of the consumer, fraud control or extending additional credit to the Tennessee consumer. For purposes of this subdivision (m)(1), “reviewing the account” includes activities related to account maintenance, monitoring, credit line increases, and account upgrades and enhancements;
(2) A subsidiary, affiliate, agent or assignee of a party or parties for whom a security freeze has been temporarily lifted pursuant to this section for the purpose of facilitating the extension of credit or other permissible use;
(3) Any person, including, but not limited to, a law enforcement entity, collections officer or private collection agency, acting pursuant to a court order, warrant or subpoena authorizing the use of the consumer report, or acting pursuant to a civil investigative demand or request for consumer protection information;
(4) Any department or division of the state that is acting to investigate a child support case, medicaid or TennCare fraud, delinquent taxes or assessments, unpaid court orders or settlements of any sort or type, or to fulfill any of their statutory or other duties;
(5) For the purposes of prescreening as provided by the federal Fair Credit Reporting Act, codified in 15 U.S.C. § 1681;
(6) Any person for the purpose of providing a credit file monitoring subscription service to which the Tennessee consumer has subscribed;
(7) A consumer reporting agency for the sole purpose of providing a Tennessee consumer with a copy of the consumer report upon the Tennessee consumer's request;
(8) Any person or entity for the purpose of setting or adjusting a rate, adjusting a claim, or underwriting for insurance purposes;
(9) A pension plan acting to determine the Tennessee consumer's eligibility for plan benefits or payments authorized by law or to investigate fraud;
(10) Any law enforcement entity or its agent acting to investigate a crime or civil law violation, conduct a criminal background check, conduct a presentence investigation in a criminal matter or use the information for supervision of a paroled offender;
(11) A licensed hospital with which the Tennessee consumer has or had a contract or a debtor-creditor relationship for the purpose of reviewing the account or collecting the financial obligation owing for the contract, account, or debt; or
(12) An attorney at law duly licensed in Tennessee representing any person, subsidiary, affiliate, agent, assignee, department, division, or other entity to whom this section does not apply.
(n) The following entities are not subject to the requirements of this section; provided, however, that each such entity shall be subject to any security freeze placed on a consumer report by a consumer reporting agency from which it obtains information:
(1) A consumer reporting agency that acts only as a reseller of credit information by assembling and merging information contained in the database of another consumer reporting agency or multiple consumer credit reporting agencies, and does not maintain a permanent data base of credit information from which new consumer credit reports are produced; however, a consumer reporting agency acting as a reseller shall honor any security freeze placed on a consumer credit report by another consumer reporting agency;
(2) A check services or fraud prevention services company that issues reports on incidents of fraud or authorizations for the purpose of approving or processing negotiable instruments, electronic funds transfers, or similar methods of payments;
(3) A deposit account information service company that issues reports regarding account closures due to fraud, substantial overdrafts, ATM abuse, or similar negative information regarding a Tennessee consumer, to inquiring banks or other financial institutions for use only in reviewing a consumer request for a deposit account at the inquiring bank or financial institution; and
(4) A consumer reporting agency's database or file that consists of information concerning, and used for, one (1) or more of the following: criminal record information, fraud prevention or detection, personal loss history information, and employment, tenant, or individual background screening.
(o) Exclusive of all other private and nongovernmental remedies that may be imposed, any person who fails to comply with any requirement imposed under this section with respect to any Tennessee consumer is liable to that Tennessee consumer in an amount equal to the sum of:
(1)
(A) Any ascertainable losses sustained by the Tennessee consumer as a result of the failure, or damages of not less than one hundred dollars ($100) nor more than one thousand dollars ($1,000), whichever is greater, in addition to any other governmental remedies available at law; or
(B) In the case of liability of a natural person for obtaining a consumer report under false pretenses without a permissible purpose, ascertainable losses sustained by the consumer as a result of the failure or one thousand dollars ($1,000), whichever is greater, in addition to any other governmental remedies available at law;
(2) An amount of punitive damages that the court may allow in a private right of action or other nongovernmental action; and
(3) In the case of any successful action to enforce any liability under this section, the costs of the action together with reasonable attorneys' fees as determined by the court.
(p) Any person who obtains a consumer report, requests a security freeze, requests the temporary lift of a freeze, or the removal of a security freeze from a consumer reporting agency under false pretenses or in an attempt to violate federal or state law shall be liable to the consumer reporting agency for ascertainable losses sustained by the consumer reporting agency or one thousand dollars ($1,000), whichever is greater, in addition to any other governmental remedies available at law.
(q) In addition to any other governmental remedies available at law, any person who is negligent in failing to comply with any requirement imposed under this section with respect to any Tennessee consumer is liable to that Tennessee consumer in an amount equal to the sum of:
(1) Any ascertainable losses sustained by the Tennessee consumer as a result of the failure; and
(2) In the case of any successful action to enforce any liability under this section, the costs of the action together with reasonable attorneys' fees as determined by the court.
(r) Upon a finding by the court that an unsuccessful, nongovernmental pleading, motion, or other paper filed in connection with an action under this section was filed in bad faith or for purposes of harassment, the court shall award to the prevailing party attorneys' fees reasonable in relation to the work expended in responding to the pleading, motion, or other paper.
(s) Notwithstanding any other provision of this section, the sole power to enforce violations of subsection (f) shall be with the attorney general and reporter.
History
Acts 2007, ch. 170, § 4; 2008, ch. 633, §§ 1, 2; 2008, ch. 1120, § 8; 2018, ch. 595, § 1.
47-18-2109. Notice to consumer regarding security freeze.
At any time that a Tennessee consumer is required to receive a summary of rights required by 15 U.S.C. § 1681g(d) of the federal Fair Credit Reporting Act, the Tennessee consumer shall also be provided with the following prominent, clear and conspicuous notice in at least twelve (12) point type:
TENNESSEE CONSUMERS HAVE THE RIGHT TO OBTAIN A SECURITY FREEZE
You have a right to place a “security freeze” on your credit report, which will prohibit a consumer reporting agency from releasing information in your credit report without your express authorization. A security freeze must be requested in writing by certified mail or by electronic means as provided by a consumer reporting agency. The security freeze is designed to prevent credit, loans, and services from being approved in your name without your consent. If you are actively seeking a new credit, loan, utility, or telephone account, you should understand that the procedures involved in lifting a security freeze may slow your applications for credit. You should plan ahead and lift a freeze in advance of actually applying for new credit. When you place a security freeze on your credit report, you will be provided a personal identification number or password to use if you choose to remove the freeze on your credit report or authorize the release of your credit report for a period of time after the freeze is in place. To provide that authorization you must contact the consumer reporting agency and provide all of the following:
(1) The personal identification number or password;
(2) Proper identification to verify your identity; and
(3) The proper information regarding the period of time for which the report shall be available.
A consumer reporting agency must authorize the release of your credit report no later than fifteen (15) minutes after receiving the above information.
A security freeze does not apply to a person or entity, or its affiliates, or collection agencies acting on behalf of the person or entity, with which you have an existing account, that requests information in your credit report for the purposes of fraud control, or reviewing or collecting the account. Reviewing the account includes activities related to account maintenance.
You should consider filing a complaint regarding your identity theft situation with the federal trade commission and the attorney general and reporter, either in writing or via their web sites.
You have a right to bring civil action against anyone, including a consumer reporting agency, who improperly obtains access to a file, misuses file data, or fails to correct inaccurate file data.
History
Acts 2007, ch. 170, § 5; 2018, ch. 595, § 2; 2019, ch. 459, § 43.
47-18-2110. Protecting social security numbers from disclosure.
(a) On and after January 1, 2008, any person, nonprofit or for profit business entity in this state, including, but not limited to, any sole proprietorship, partnership, limited liability company, or corporation, engaged in any business, including, but not limited to, health care, that has obtained a federal social security number for a legitimate business or governmental purpose shall make reasonable efforts to protect that social security number from disclosure to the public. Social security numbers shall not:
(1) Be posted or displayed in public;
(2) Be required to be transmitted over the Internet, unless the Internet connection used is secure or the social security number is encrypted;
(3) Be required to log onto or access an Internet web site, unless used in combination with a password or other authentication device;
(4) Be printed on any materials mailed to a consumer, unless the disclosure is required by law, or the document is a form or application; or
(5) Be printed on any check, card, identification, or badge that the consumer must display or present in order to receive a benefit, good, service or other thing of value to which the consumer is entitled based upon the consumer's contract or other agreement with the entity issuing the check, card, identification, or badge.
(b) The requirements established pursuant to subsection (a) shall not apply:
(1) To the disclosure of a federal social security number by an entity so long as the disclosure is for a legitimate business or governmental purpose and occurs pursuant to the terms of a business or governmental contract or other lawful legal obligation; or
(2) If the:
(A) Person gives permission, in writing;
(B) Disclosure is authorized or required under state or federal law; or
(C) Disclosure is made:
(i) To a consumer reporting agency as defined by the federal Fair Credit Reporting Act (15 U.S.C. § 1681 et seq.);
(ii) To a financial institution subject to the privacy provisions of the federal Gramm-Leach-Bliley Act (15 U.S.C. § 6802); or
(iii) To a financial institution subject to the International Money Laundering Abatement and Financial Anti-Terrorism Act of 2001 (31 U.S.C. § 5311 et seq.).
(c) On and after January 1, 2009, a violation of subsection (a) is a Class B misdemeanor. Each violation of subsection (a) shall constitute a separate offense.
(d) In addition to the criminal offense created pursuant to subsections (a) and (b), on and after January 1, 2009, it is also a civil violation of this part, subject to the penalty provided in this part, for any person, any nonprofit or for profit business entity in this state, including, but not limited to, any sole proprietorship, partnership, limited liability company, or corporation, engaged in any business, including, but not limited to, health care, to violate any of the prohibitions of subsection (a).
(e) Any state agency or nonprofit or for profit business entity engaged in the provision of health care services under Title XIX, including determining eligibility for Title XIX services, shall be exempted from the requirements of subsections (a) and (b).
History
Acts 2007, ch. 170, § 6; 2009, ch. 269, § 1; 2015, ch. 127, §§ 1, 2.
47-18-2111. Protected consumer security freeze.
(a) As used in this section:
(1) “Protected consumer” means:
(A) An individual who is under sixteen (16) years of age at the time a request for the placement of a security freeze under this section is made; or
(B) An incapacitated person for whom a guardian or conservator has been appointed pursuant to title 34;
(2) “Protected consumer security freeze” means:
(A) If a consumer reporting agency does not have a consumer report pertaining to the protected consumer, a restriction that:
(i) Is placed on the protected consumer's record in accordance with this section; and
(ii) Prohibits the consumer reporting agency from releasing the protected consumer's record except as provided in this section; or
(B) If a consumer reporting agency has a consumer report pertaining to the protected consumer, a restriction that:
(i) Is placed on the protected consumer's consumer report in accordance with this section; and
(ii) Prohibits the consumer reporting agency from releasing the protected consumer's consumer report or any information derived from the protected consumer's consumer report except as provided in this section;
(3) “Record” means a compilation of information that:
(A) Identifies a protected consumer;
(B) Is created by a consumer reporting agency solely for the purpose of complying with this section; and
(C) Shall not be created or used to consider the protected consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living;
(4) “Representative” means a person who provides to a consumer reporting agency sufficient proof of authority to act on behalf of a protected consumer;
(5) “Sufficient proof of authority”:
(A) Means documentation that shows a representative has authority to act on behalf of a protected consumer; and
(B) Includes:
(i) An order issued by a court of law;
(ii) A lawfully executed and valid power of attorney; and
(iii) A written, notarized statement signed by a representative that expressly describes the authority of the representative to act on behalf of a protected consumer; and
(6) “Sufficient proof of identification”:
(A) Means information or documentation that identifies a protected consumer or the protected consumer's representative; and
(B) Includes:
(i) A social security number or a copy of a social security card issued by the social security administration;
(ii) A certified or official copy of a certificate of birth issued by the entity authorized to issue the certificate of birth pursuant to title 68, chapter 3, part 3;
(iii) A copy of a valid driver license or any other government-issued identification; or
(iv) A copy of a bill, including a bill for telephone, sewer, septic tank, water, electric, oil, or natural gas services, that shows a name and home address.
(b) This section does not apply to:
(1) A person administering a consumer report monitoring subscription service to which:
(A) The protected consumer has subscribed; or
(B) The protected consumer's representative has subscribed on behalf of the protected consumer;
(2) A person providing the protected consumer or the protected consumer's representative with a copy of the protected consumer's consumer report on request of the protected consumer or the protected consumer's representative;
(3) A consumer reporting agency that acts only as a reseller of credit information by assembling and merging information contained in the database of another consumer reporting agency or multiple consumer reporting agencies, and does not maintain a permanent database of credit information from which new consumer credit reports are produced; provided, a consumer reporting agency acting as a reseller shall honor any security freeze placed on a consumer credit report by another consumer reporting agency;
(4) A check services or fraud prevention services company that issues reports on incidents of fraud or authorizations for the purpose of approving or processing negotiable instruments, electronic funds transfers, or similar methods of payments;
(5) A deposit account information service company that issues reports regarding account closures due to fraud, substantial overdrafts, automatic teller machine abuse, or similar negative information regarding a consumer to inquiring banks or other financial institutions for use only in reviewing a consumer request for a deposit account at the inquiring bank or financial institution; or
(6) A consumer reporting agency database or file that consists entirely of consumer information concerning, and used solely for:
(A) Criminal record information;
(B) Personal loss history information;
(C) Fraud prevention or detection;
(D) Employment screening; or
(E) Tenant screening.
(c) A consumer reporting agency shall place a protected consumer security freeze for a protected consumer if:
(1) The consumer reporting agency receives a request from the protected consumer's representative for the placement of the security freeze under this section; and
(2) The protected consumer's representative:
(A) Submits the request to the consumer reporting agency at the address or other point of contact and in the manner specified by the consumer reporting agency;
(B) Provides to the consumer reporting agency sufficient proof of identification of the protected consumer and the representative;
(C) Provides to the consumer reporting agency sufficient proof of authority to act on behalf of the protected consumer; and
(D) Pays to the consumer reporting agency a fee as provided in subsection (j).
(d) If a consumer reporting agency does not have a consumer report pertaining to a protected consumer when the consumer reporting agency receives a request under subdivision (c)(2), the consumer reporting agency shall create a record for the protected consumer.
(e) Within thirty (30) days after receiving a request that meets the requirements of subdivision (c)(2), a consumer reporting agency shall place a protected consumer security freeze.
(f) Unless a protected consumer security freeze is removed in accordance with subsection (h) or (k), a consumer reporting agency shall not release the protected consumer's consumer report, any information derived from the protected consumer's consumer report, or any record created for the protected consumer.
(g) A protected consumer security freeze placed under subsection (e) shall remain in effect until:
(1) The protected consumer or the representative requests the consumer reporting agency to remove the protected consumer security freeze in accordance with subsection (h); or
(2) The protected consumer security freeze is removed in accordance with subsection (k).
(h) If a protected consumer or the representative wishes to remove a protected consumer security freeze, the protected consumer or the representative shall:
(1) Submit a request for the removal of the protected consumer security freeze to the consumer reporting agency at the address or other point of contact and in the manner specified by the consumer reporting agency;
(2) Provide to the consumer reporting agency:
(A) In the case of a request by the protected consumer:
(i) Proof that the sufficient proof of authority for the representative to act on behalf of the protected consumer is no longer valid; and
(ii) Sufficient proof of identification of the protected consumer; or
(B) In the case of a request by the representative:
(i) Sufficient proof of identification of the protected consumer and the representative; and
(ii) Sufficient proof of authority to act on behalf of the protected consumer; and
(3) Pay to the consumer reporting agency a fee as provided in subsection (j).
(i) Within thirty (30) days after receiving a request that meets the requirements of subsection (h), the consumer reporting agency shall remove the protected consumer security freeze.
(j)
(1) Except as provided in subdivision (j)(2), a consumer reporting agency shall not charge any fee for any service performed under this section.
(2) A consumer reporting agency may charge a reasonable fee, not exceeding ten dollars ($10.00), for each placement or removal of a protected consumer security freeze.
(3) Notwithstanding subdivision (j)(2), a consumer reporting agency shall not charge any fee under this section if:
(A) The protected consumer's representative:
(i) Has obtained a police report of alleged identity fraud as described in § 39-14-150, and the protected consumer is the alleged victim; and
(ii) Provides a copy of the police report to the consumer reporting agency; or
(B) A request for the placement or removal of a protected consumer security freeze is for a protected consumer who is under sixteen (16) years of age at the time of the request and the consumer reporting agency has a consumer report pertaining to the protected consumer.
(k) A consumer reporting agency may remove a protected consumer security freeze or delete a record of a protected consumer if the protected consumer security freeze was placed, or the record was created, based on a material misrepresentation of fact by the protected consumer or the representative.
(l) If a consumer reporting agency negligently violates subsection (f) by releasing credit information that has been placed under a protected consumer security freeze, the affected protected consumer and representative shall be entitled to all remedies set out in § 47-18-2108 in addition to any other remedies provided for by law.
(m) [Deleted by 2019 amendment.]
(n) With regard to security freezes as described in this section, this section supersedes § 47-18-2108.
History
Acts 2015, ch. 282, § 1; 2019, ch. 459, § 44.
For more information, see here: https://advance.lexis.com/documentpage/?pdmfid=1000516&crid=966a14a8-3849-47ff-a2e9-4d4e0d6105fd&nodeid=ABVAAUAAVAAB&nodepath=%2FROOT%2FABV%2FABVAAU%2FABVAAUAAV%2FABVAAUAAVAAB&level=4&haschildren=&populated=false&title=47-18-2101.+Short+title.&config=025054JABlOTJjNmIyNi0wYjI0LTRjZGEtYWE5ZC0zNGFhOWNhMjFlNDgKAFBvZENhdGFsb2cDFQ14bX2GfyBTaI9WcPX5&pddocfullpath=%2Fshared%2Fdocument%2Fstatutes-legislation%2Furn%3AcontentItem%3A4X8K-XB40-R03J-K1JY-00008-00&ecomp=vg1_kkk&prid=744f246f-5aa6-4519-9d24-b42e37ec12f4
These materials were obtained directly from the State Legislative websites and are posted here for your review and reference only. No Claim to Original State Government Works. This may not be the most recent version. The State may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.