MISSISSIPPI LEGISLATURE

2007 Regular Session

To: Judiciary, Division B

By: Senator(s) Tollison

Senate Bill 2089

(COMMITTEE SUBSTITUTE)

AN ACT TO CREATE THE "MISSISSIPPI CLEAN CREDIT AND IDENTITY THEFT PROTECTION ACT"; TO DEFINE CERTAIN TERMS; TO AUTHORIZE CONSUMERS TO PLACE A SECURITY FREEZE ON THEIR CREDIT FILES; TO LIMIT THE RELEASE OR SHARING OF CREDIT HEADER INFORMATION; TO PROVIDE A CONSUMER WITH THE RIGHT TO FILE A POLICE REPORT REGARDING IDENTITY THEFT WITH THE LOCAL LAW ENFORCEMENT AGENCY HAVING JURISDICTION OVER HIS ACTUAL RESIDENCE; TO PROVIDE IDENTITY THEFT VICTIMS WITH THE RIGHT TO OBTAIN A COURT ORDERED FACTUAL DECLARATION OF INNOCENCE AND TO CREATE A STATEWIDE CRIMINAL IDENTITY THEFT REGISTRY; TO REQUIRE NOTICE TO CONSUMERS IN THE EVENT THAT SECURITY OF DATA HAS BEEN BREACHED; TO LIMIT THE USE OF SOCIAL SECURITY NUMBERS; TO PROHIBIT INSURERS FROM USING INFORMATION REGARDING A CONSUMER'S CREDITWORTHINESS FOR THE PURPOSE OF DETERMINING RATES FOR INSURANCE OR ELIGIBILITY FOR COVERAGE; TO REGULATE THE DISPOSAL OF RECORDS CONTAINING PERSONAL INFORMATION; AND FOR RELATED PURPOSES.

     BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MISSISSIPPI:

     SECTION 1.  The provisions of this act shall be known and may be cited as the "Mississippi Clean Credit and Identity Theft Protection Act."

     SECTION 2.  For the purposes of this act, the following terms shall have the following meanings:

          (a)  The term "person" means any individual, partnership, corporation, trust, estate, cooperative, association, government or governmental subdivision or agency, or other entity.

          (b)  "Consumer" means an individual.

          (c)  "Consumer reporting agency" means any person which, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties.

          (d)  "Consumer report" or "credit report" means any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer's eligibility for:

              (i)  Credit or insurance to be used primarily for personal, family, or household purposes, except that nothing in this act authorizes the use of credit evaluations, credit scoring or insurance scoring in the underwriting of personal lines of property or casualty insurance;

              (ii)  Employment purposes; or

              (iii)  Any other purpose authorized under 15 USC, Section 1681b.

          (e)  "Credit card" has the same meaning as in Section 103 of the Truth in Lending Act.

          (f)  "Credit header information" means written, oral or other communication of any information by a consumer reporting agency regarding the social security number of the consumer, or any derivative thereof, and any other personally identifiable information of the consumer that is derived using any nonpublic personal information, except the name, address and telephone number of the consumer if all are listed in a residential telephone directory available in the locality of the consumer.

          (g)  "Credit history" means any written, oral or other communication of any information by a consumer reporting agency bearing on a consumer's creditworthiness, credit standing or credit capacity that is used or expected to be used, or collected in whole or in part, for the purpose of determining personal lines insurance premiums or eligibility for coverage.

          (h)  "Debit card" means any card or device issued by a financial institution to a consumer for use in initiating an electronic fund transfer from the account holding assets of the consumer at such financial institution, for the purpose of transferring money between accounts or obtaining money, property, labor or services.

     SECTION 3.  (1)  Definitions.  For the purposes of this section, the following terms shall have the following meanings:

          (a)  "Security freeze" means a notice, at the request of the consumer and subject to certain exceptions, that prohibits the consumer reporting agency from releasing all or any part of the consumer's credit report or any information derived from it without the express authorization of the consumer.  If a security freeze is in place, such a report or information may not be released to a third party without prior express authorization from the consumer.  This paragraph does not prevent a consumer reporting agency from advising a third party that a security freeze is in effect with respect to the consumer's credit report.

          (b)  "Reviewing the account" or "account review" includes activities related to account maintenance, monitoring, credit line increases, and account upgrades and enhancements.

     (2)  Security freeze:  Timing, covered entities, cost.

          (a)  A consumer may elect to place a "security freeze" on his or her credit report by:

              (i)  Making a request by mail;

              (ii)  Making a request by telephone by providing certain personal identification; or

               (iii)  Making a request directly to the consumer reporting agency through a secure electronic mail connection if such connection is made available by the agency.  Credit reporting agencies shall make a secure electronic mail method of requesting a security freeze available within one hundred eighty (180) days of the effective date of this act.

          (b)  A consumer reporting agency shall place a security freeze on a consumer's credit report no later than five (5) business days after receiving a written or telephone request from the consumer or three (3) business days after receiving a secure electronic mail request.  Within one (1) year of the effective date of this act, a consumer reporting agency shall place a security freeze on a consumer's credit report no later than three (3) business days after receiving a written or telephone request from the consumer or one (1) business day after receiving a secure electronic mail request.  Within two (2) years of the effective date of this act, a consumer reporting agency shall place a security freeze on a consumer's credit reporting agency no later than one (1) business day after receiving a written or telephone request.

          (c)  The consumer reporting agency shall send a written confirmation of the security freeze to the consumer within five (5) business days of placing the freeze and at the same time shall provide the consumer with a unique personal identification number or password to be used by the consumer when providing authorization for the release of his or her credit for a specific party or period of time, or when permanently lifting the freeze.  Within one (1) year of the effective date of this act, the consumer reporting agency shall send such a written confirmation and unique personal identification number or password to the consumer no later than one (1) business day after placing the freeze.

          (d)  If the consumer wishes to allow his or her credit report to be accessed for a specific party or period of time while a freeze is in place, he or she shall contact the consumer reporting agency via telephone, mail,or secure electronic mail, with a request that the freeze be temporarily lifted, and provide the following:

              (i)  Proper identification;

              (ii)  The unique personal identification number or password provided by the consumer reporting agency pursuant to paragraph (c) of subsection (2); and

              (iii)  The proper information regarding the third party who is to receive the credit report or the time period for which the report shall be available to users of the credit report.

          (e)  A consumer reporting agency that receives a request from a consumer to temporarily lift a freeze on a credit report pursuant to paragraph (d) of subsection (2) shall comply with the request no later than three (3) business days after receiving the request.  Within one (1) year of the effective date of this act, a consumer reporting agency shall honor such a request no later than one business day after receiving the request.  Within two (2) years of the effective date of this act, a consumer reporting agency shall honor such a request made by electronic mail or by telephone within fifteen (15) minutes of receiving the request.

          (f)  A consumer reporting agency shall develop procedures involving the use of telephone, fax, or, upon the consent of the consumer in the manner required by the Electronic Signatures in Global and National Commerce Act [E-Sign] for legally required notices, by the Internet, e-mail, or other electronic media to receive and process a request from a consumer to temporarily lift a freeze on a credit report pursuant to paragraph (d) of subsection (2) in an expedited manner.

          (g)  A consumer reporting agency shall remove or temporarily lift a freeze placed on a consumer's credit report only in the following cases:

              (i)  Upon consumer request, pursuant to paragraph (d) or paragraph (j) of subsection (2);

              (ii)  If the consumer's credit report was frozen due to a material misrepresentation of fact by the consumer.  If a consumer reporting agency intends to remove a freeze upon a consumer's credit report pursuant to this paragraph (g), the consumer reporting agency shall notify the consumer in writing five (5) business days prior to removing the freeze on the consumer's credit report.

          (h)  If a third party requests access to a consumer credit report on which a security freeze is in effect, and this request is in connection with an application for credit or any other use, and the consumer does not allow his or her credit report to be accessed for that specific party or period of time, the third party may treat the application as incomplete.

          (i)  If a third party requests access to a consumer credit report on which a security freeze is in effect for the purpose of receiving, extending, or otherwise utilizing the credit therein, and not for the sole purpose of account review, the consumer credit report agency must notify the consumer that an attempt has been made to access the credit report.

          (j)  A security freeze shall remain in place until the consumer requests that the security freeze be removed.  A consumer reporting agency shall remove a security freeze within three (3) business days of receiving a request for removal from the consumer, who provides both of the following:

              (i)  Proper identification; and

              (ii)  The unique personal identification number or password provided by the consumer reporting agency pursuant to paragraph (c) of subsection (2).

     Not later than one (1) year after the effective date of this act, a consumer reporting agency shall remove a security freeze within one (1) business day after receiving such a request.

          (k)  A consumer reporting agency shall require proper identification of the person making a request to place or remove a security freeze.

          (l)  A consumer reporting agency may not suggest or otherwise state or imply to a third party that the consumer's security freeze reflects a negative credit score, history, report or rating.

          (m)  The provisions of this section do not apply to the use of a consumer credit report by any of the following:

              (i)  A person, or the person's subsidiary, affiliate, agent or assignee with which the consumer has or, prior to assignment, had an account, contract or debtor-creditor relationship for the purposes of reviewing the account or collecting the financial obligation owing for the account, contract or debt.

              (ii)  A subsidiary, affiliate, agent, assignee or prospective assignee of a person to whom access has been granted under paragraph (d) of subsection (2) for purposes of facilitating the extension of credit or other permissible use.

              (iii)  Any person acting pursuant to a court order, warrant, or subpoena.

              (iv)  A state or local agency which administers a program for establishing and enforcing child support obligations.

              (v)  The State Health Department or its agents or assigns acting to investigate fraud.

              (vi)  The State Tax Commission or its agents or assigns acting to investigate or collect delinquent taxes or unpaid court orders or to fulfill any of its other statutory responsibilities.

              (vii)  A person for the purposes of prescreening as defined by the federal Fair Credit Reporting Act.

              (viii)  Any person or entity administering a credit file monitoring subscription service to which the consumer has subscribed.

              (vix)  Any person or entity for the purpose of providing a consumer with a copy of his or her credit report upon the consumer's request.

          (n)  A consumer may not be charged for any security freeze services, including, but not limited to, the placement or lifting of a security freeze.  A consumer, however, can be charged no more than Five Dollars ($5.00) only in the following discreet circumstance:  If the consumer fails to retain the original personal identification number provided by the agency, the consumer may not be charged for a one-time reissue of the same or a new personal identification number; however, the consumer may be charged no more than Five Dollars ($5.00) for subsequent instances of loss of the personal identification number.

     (3)  Notice of rights.  At any time that a consumer is required to receive a summary of rights required under Section 609 of the federal Fair Credit Reporting Act, the following notice shall be included:

Consumers Have the Right to Obtain a Security Freeze

You may obtain a security freeze on your credit report at no charge to protect your privacy and ensure that credit is not granted in your name without your knowledge.  You have a right to place a "security freeze" on your credit report pursuant to state law.

The security freeze will prohibit a consumer reporting agency from releasing any information in your credit report without your express authorization or approval.

The security freeze is designed to prevent credit, loans, and services from being approved in your name without your consent.  When you place a security freeze on your credit report, within five (5) business days (and by July 1, 2008, no later than one (1) business day) you will be provided a personal identification number or password to use if you choose to remove the freeze on your credit report or to temporarily authorize the release of your credit report for a specific party, parties or period of time after the freeze is in place.  To provide that authorization, you must contact the consumer reporting agency and provide all of the following:

(a)  The unique personal identification number or password provided by the consumer reporting agency.

(b)  Proper identification to verify your identity.

(c)  The proper information regarding the third party or parties who are to receive the credit report or the period of time for which the report shall be available to users of the credit report.

A consumer reporting agency that receives a request from a consumer to lift temporarily a freeze on a credit report shall comply with the request no later than three (3) business days after receiving the request.  (By July 1, 2009, the consumer reporting agency must temporarily lift the freeze within fifteen (15) minutes of receiving the request.)

A security freeze does not apply to circumstances where you have an existing account relationship and a copy of your report is requested by your existing creditor or its agents or affiliates for certain types of account review, collection, fraud control or similar activities.

If you are actively seeking a new credit, loan, utility, telephone, or insurance account, you should understand that the procedures involved in lifting a security freeze may slow your own applications for credit.  You should plan ahead and lift a freeze, either completely if you are shopping around, or specifically for a certain creditor, with enough advance notice before you apply for new credit for the lifting to take effect.  Until July 1, 2008, you should lift the freeze at least three (3) business days before applying; between July 1, 2008, and July 1, 2009, you should lift the freeze at least one (1) business day before applying; and after July 1, 2009, you should lift the freeze at least fifteen (15) minutes before applying for a new account.

You have a right to bring a civil action against someone who violates your rights under the credit reporting laws.  The action can be brought against a consumer reporting agency or a user of your credit report.

     (4)  Violations; penalties.  If a consumer reporting agency erroneously, whether by accident or design, violates the security freeze by releasing credit information that has been placed under a security freeze, the affected consumer is entitled to:

          (a)  Notification within five (5) business days of the release of the information, including specificity as to the information released and the third party recipient of the information.

          (b)  File a complaint with the Federal Trade Commission and the State Attorney General.

          (c)  In a civil action against the consumer reporting agency recover:

              (i)  Injunctive relief to prevent or restrain further violation of the security freeze;

              (ii)  A civil penalty in an amount not to exceed Ten Thousand Dollars ($10,000.00) for each violation plus any damages available under other civil laws; and

              (iii) Reasonable expenses, court costs, investigative costs, and attorney's fees.

          (d)  Each violation of the security freeze shall be counted as a separate incident for purposes of imposing penalties under this section.

     SECTION 4.   A consumer reporting agency may furnish information from a consumer's credit header only to those who have a permissible purpose to obtain the consumer's consumer report, under Section 604 of the federal Fair Credit Reporting Act, as codified at 15 USC, Section 1681(b), and that permissible purpose applies to the request for the credit header information.

     SECTION 5.  (1)  A person who has learned or reasonably suspects that he or she has been the victim of identity theft may contact the local law enforcement agency that has jurisdiction over his or her actual residence, which shall take a police report of the matter, and provide the complainant with a copy of that report.  Notwithstanding the fact that jurisdiction may lie elsewhere for investigation and prosecution of a crime of identity theft, the local law enforcement agency shall take the complaint and provide the complainant with a copy of the complaint and may refer the complaint to a law enforcement agency in that different jurisdiction.

     (2)  Nothing in this section interferes with the discretion of a local police department to allocate resources for investigations of crimes.  A complaint filed under this section is not required to be counted as an open case for purposes such as compiling open case statistics.

     SECTION 6.  (1)  A person who reasonably believes that he or she is the victim of identity theft may petition a court, or the court, on its own motion or upon application of the prosecuting attorney, may move for an expedited judicial determination of his or her factual innocence, where the perpetrator of the identity theft was arrested for, cited for, or convicted of a crime under the victim's identity, or where a criminal complaint has been filed against the perpetrator in the victim's name, or where the victim's identity has been mistakenly associated with a record of criminal conviction.  Any judicial determination of factual innocence made pursuant to this section may be heard and determined upon declarations, affidavits, police reports, or other material, relevant, and reliable information submitted by the parties or ordered to be part of the record by the court.  Where the court determines that the petition or motion is meritorious and that there is no reasonable cause to believe that the victim committed the offense for which the perpetrator of the identity theft was arrested, cited, convicted, or subject to a criminal complaint in the victim's name, or that the victim's identity has been mistakenly associated with a record of criminal conviction, the court shall find the victim factually innocent of that offense.  If the victim is found factually innocent, the court shall issue an order certifying this determination.

     (2)  After a court has issued a determination of factual innocence pursuant to this section, the court may order the name and associated personal identifying information contained in court records, files, and indexes accessible by the public deleted, sealed, or labeled to show that the data is impersonated and does not reflect the defendant's identity.

     (3)  Upon making a determination of factual innocence, the court must provide the consumer written documentation of such order.

     (4)  A court that has issued a determination of factual innocence pursuant to this section may at any time vacate that determination if the petition, or any information submitted in support of the petition, is found to contain any material misrepresentation or fraud.

     (5)  The Supreme Court shall develop a form for use in issuing an order pursuant to this section.

     (6)  The Department of Public Safety shall establish and maintain a database of individuals who have been victims of identity theft and that have received determinations of factual innocence.  The Department of Public Safety shall provide a victim of identity theft or his or her authorized representative access to the database in order to establish that the individual has been a victim of identity theft.  Access to the database shall be limited to criminal justice agencies, victims of identity theft, and individuals and agencies authorized by the victims.

     (7)  The Department of Public Safety shall establish and maintain a toll-free number to provide access to information under subsection (6).

     (8)  In order for a victim of identity theft to be included in the database established pursuant to subsection (6), he or she shall submit to the Department of Public Safety a court order obtained pursuant to any provision of law, a full set of fingerprints, and any other information prescribed by the department.

     (9)  Upon receiving information pursuant to subsection (8), the Department of Public Safety shall verify the identity of the victim against any driver's license or other identification record maintained by the Department of Motor Vehicles.

     (10)  This section shall be operative within One hundred eighty (180) days of the passage of this act.

     SECTION 7.  (1)  Definitions.  As used in this section:

          (a)  "Breach of the security of a system" means the unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of personal information maintained by an individual or entity as part of a database of personal information regarding multiple individuals and that causes or the individual or entity reasonably believes has caused or will cause identity theft or other fraud to any resident of this state.  However, good-faith acquisition of personal information by an employee or agent of an individual or entity for the purposes of the individual or the entity is not a breach of the security of the system, provided that the personal information is not used for a purpose other than a lawful purpose of the individual or entity or subject to further unauthorized disclosure.

          (b)  "Entity" includes corporations, business trusts, estates, partnerships, limited partnerships, limited liability partnerships, limited liability companies, associations, organizations, joint ventures, governments, governmental subdivisions, agencies or instrumentalities, or any other legal entity, whether for profit or not-for-profit.

          (c)  "Encrypted" means transformation of data through the use of an algorithmic process into a form in which there is a low probability of assigning meaning without use of a confidential process or key, or securing the information by another method that renders the data elements unreadable or unusable.

          (d)  "Financial institution" has the meaning given that term in Section 6809(3) of Title 15, United States Code.

          (e)  "Individual" means a natural person.

          (f)  "Personal information" means the first name or first initial and last name linked to any one or more of the following data elements that relate to a resident of this state, when the data elements are neither encrypted nor redacted:

               (i)  Social security number;

              (ii)  Driver's license number or state identification card number issued in lieu of a driver's license;             (iii)  Financial account number, or credit card or debit card number, in combination with any required security code, access code or password that would permit access to a resident's financial accounts; or

              (iv)  The term does not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.

          (g)  "Notice" means:

              (i)  Written notice to the postal address in the records of the individual or entity;

              (ii)  Telephone notice;

              (iii)  Electronic notice; or

              (iv)  Substitute notice, if the individual or the entity required to provide notice demonstrates that the cost of providing notice will exceed Fifty Thousand Dollars ($50,000.00), or that the affected class of residents to be notified exceeds one hundred thousand (100,000) persons, or that the individual or the entity does not have sufficient contact information or consent to provide notice as described in this paragraph.  Substitute notice consists of any two (2) of the following:

                   1.  E-mail notice if the individual or the entity has e-mail addresses for the members of the affected class of residents;

                   2.  Conspicuous posting of the notice on the Web site of the individual or the entity if the individual or the commercial entity maintains a Web site;

                   3.  Notice to major statewide media.

          (h)  "Redact" means alteration or truncation of data such that no more than the last four (4) digits of a social security number, driver's license number, state identification card number or account number is accessible as part of the personal information.

     (2)  Disclosure of Breach of Security of Computerized Personal Information by an Individual or Entity.  (a)  An individual or entity that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach of the security of the system to any resident of this state whose unencrypted and unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person and that causes, or the individual or entity reasonably believes has caused or will cause, identity theft or other fraud to any resident of this state.  Except as provided in paragraph (d) or in order to take any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the system, the disclosure shall be made without unreasonable delay.

          (b)  An individual or entity must disclose the breach of the security of the system if encrypted information is accessed and acquired in an unencrypted form, or if the security breach involves a person with access to the encryption key and the individual or entity reasonably believes that such breach has caused or will cause identity theft or other fraud to any resident of this state.

          (c)  An individual or entity that maintains computerized data that includes personal information that the individual or entity does not own or license shall notify the owner or licensee of the information of any breach of the security of the system as soon as practicable following discovery, if the personal information was or is the entity reasonably believes was accessed and acquired by an unauthorized person.

          (d)  Notice required by this section may be delayed if a law enforcement agency determines and advises the individual or entity that the notice will impede a criminal or civil investigation, or homeland or national security.  Notice required by this section must be made without unreasonable delay after the law enforcement agency determines that notification will no longer impede the investigation or jeopardize national or homeland security.

     (3)  Procedures Deemed in Compliance with Security Breach Requirements.  (a)  An entity that maintains its own notification procedures as part of an information privacy or security policy for the treatment of personal information and that are consistent with the timing requirements of this section shall be deemed to be in compliance with the notification requirements of this section if it notifies residents of this state in accordance with its procedures in the event of a breach of security of the system.

          (b)  (i)  A financial institution that complies with the notification requirements prescribed by the Federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice is deemed to be in compliance with this section.

              (ii)  An entity that complies with the notification requirements or procedures pursuant to the rules, regulations, procedures or guidelines established by the entity's primary or functional federal regulator shall be in compliance with this section.

     (4)  Violations.  (a)  A violation of this section that results in injury or loss to residents of this state may be enforced by the Office of the Attorney General as an unfair trade practice.

          (b)  Except as provided by paragraph (c) of this subsection, the Office of Attorney General shall have exclusive authority to bring action and may obtain either actual damages for a violation of this section or a civil penalty not to exceed One Hundred Fifty Thousand Dollars ($150,000.00) per breach of the security of the system or series of breaches of a similar nature that are discovered in a single investigation.

          (c)  A violation of this section by a state-chartered or licensed financial institution shall be enforceable exclusively by the financial institution's primary state regulator.

     (5)  Applicability.  This section shall apply to the discovery or notification of a breach of the security of the system that occurs on or after July 1, 2007.

     (6)  Preemption.  This section shall supersede and preempt all rules, regulations, codes, statutes or ordinances of any county or municipality regarding the matters expressly set forth in this section.

     SECTION 8.  (1)  Except as provided in subsection (3), a person or entity, including a state or local agency, may not do any of the following:

          (a)  Intentionally communicate or otherwise make available to the general public an individual's social security number.

          (b)  Print an individual's social security number on any card required for the individual to access products or services provided by the person or entity.

          (c)  Require an individual to transmit his or her social security number over the Internet, unless the connection is secure or the social security number is encrypted, the number is essential to the transaction, and there is no other identifier that could reasonably be used.

          (d)  Require an individual to use his or her social security number to access an Internet Web site.

          (e)  Print an individual's social security number on any materials that are mailed to the individual, unless state or federal law requires the social security number to be on the document to be mailed.

          (f)  Sell, lease, loan, trade, rent or otherwise disclose an individual's social security number to a third party for any purpose without written consent to the disclosure from the individual.

          (g)  Refuse to do business with an individual because the individual will not consent to the receipt by such person of the social security account number of such individual, unless such person is expressly required under federal law, in connection with doing business with an individual, to submit to the federal government such individual's social security account number.

     (2)  This section does not apply to documents that are recorded or required to be open to the public pursuant to Mississippi Public Records Act.

     (3)  Any entity covered by this section shall make reasonable efforts to cooperate, through systems testing and other means, to ensure that the requirements of this act are implemented on or before the dates specified in this section.

     (4)  Penalties for violations of this section:

          (a)  A person who violates this section is responsible for the payment of a civil fine of not more than Three Thousand Dollars ($3,000.00).

          (b)  A person who knowingly violates this section is guilty of a misdemeanor punishable by imprisonment for not more than thirty (30) days or a fine of not more than Five Thousand Dollars ($5,000.00), or both.

          (c)  An individual may bring a civil action against a person who violates this section and may recover actual damages or Five Thousand Dollars ($5,000.00), whichever is greater, plus reasonable court costs and attorney's fees.

     SECTION 9.   With respect to private passenger automobile, residential property and other personal lines insurance, an insurer may not:

          (a)  Refuse to underwrite, cancel, refuse to renew a risk, or increase a renewal premium, based, in whole or in part, on the credit history of an applicant or insured;

          (b)  Rate a risk based, in whole or in part, on the credit history of an applicant or insured in any manner, including:

              (i)  The provision or removal of a discount;

              (ii)  Assigning the insured or applicant to a rating tier; or

              (iii)  Placing an insured or applicant with an affiliated company; or

          (c)  Require a particular payment plan based, in whole or in part, on the credit history of the insured or applicant.

     SECTION 10.  This act shall take effect and be in force from and after July 1, 2007.