SECOND REGULAR SESSION

HOUSE BILL NO. 1857

95TH GENERAL ASSEMBLY

INTRODUCED BY REPRESENTATIVE GRILL.

4800L.01I                                                                                                                                                  D. ADAM CRUMBLISS, Chief Clerk

AN ACT

To amend chapter 407, RSMo, by adding thereto one new section relating to the prevention of identity theft.

Be it enacted by the General Assembly of the state of Missouri, as follows:

            Section A. Chapter 407, RSMo, is amended by adding thereto one new section, to be known as section 407.1390, to read as follows:

            407.1390. 1. For the purposes of this section, the following terms mean:

            (1) "Business", sole proprietorship, partnership, corporation, association, or other group, however organized and whether or not organized to operate at a profit. The term includes a financial institution organized, chartered, or holding a license or authorization certificate under the laws of this state, any other state, the United States, or any other country, or the parent or the subsidiary of any such financial institution. The term also includes an entity that destroys records;

            (2) "Dispose" includes:

            (a) The discarding or abandonment of records containing personal information; and

            (b) The sale, donation, discarding, or transfer of any medium, including computer equipment, or computer media, containing records of personal information, or other nonpaper media upon which records of personal information is stored, or other equipment for nonpaper storage of information;

            (3) "Personal information", a Social Security number; a personal identification number; a password; a passcode; an official state or government-issued driver's license or identification card number; a government passport number; biometric information other than a photographic image; an employer, student, or military identification number; a financial transaction device or financial account number, or health information including medical records and health insurance identifiers;

            (4) "Records", any material on which written, drawn, spoken, visual or electromagnetic information is recorded or preserved, regardless of physical form or characteristics. "Records" shall not include publicly available directories containing information an individual has voluntarily consented to have publicly disseminated or listed, such as name, address or telephone number;

            (5) "Social Security number", any portion of three or more consecutive digits of a Social Security number.

            2. Any business that conducts business in the state of Missouri and any business that maintains or otherwise possesses personal information of residents of the state of Missouri shall take all reasonable measures to protect against unauthorized access to or use of the information in connection with, or after its disposal. Such reasonable measures shall include, but may not be limited to:

            (1) Implementing and monitoring compliance with policies and procedures that require the burning, pulverizing or shredding of papers containing personal information so that the information cannot practicably be read or reconstructed;

            (2) Implementing and monitoring compliance with policies and procedures that require the destruction or erasure of electronic media and other nonpaper media containing personal information so that the information cannot practicably be read or reconstructed;

            (3) After due diligence, entering into and monitoring compliance with a written contract with another party engaged in the business of record destruction to dispose of personal information in a manner consistent with this section. Due diligence should ordinarily include, but may not be limited to, one or more of the following:

            (a) Reviewing an independent audit of the disposal company's operations or its compliance with this section or its equivalent;

            (b) Obtaining information about the disposal company from several references or other reliable sources and requiring that the disposal company be certified by a recognized trade association or similar third party with a reputation for high standards of quality review;

            (c) Reviewing and evaluating the disposal company's information security policies or procedures, or taking other appropriate measures to determine the competency and integrity of the disposal company;

            (4) A disposal company that conducts business in Missouri or disposes personal information of residents of Missouri shall take reasonable measures to dispose of records containing personal information by implementing and monitoring compliance with policies and procedures that protect against unauthorized access to or use of personal information during or after the collection and transportation and disposing of such information in accordance with subdivisions (1) and (2) of this subsection.

            3. Procedures relating to the adequate destruction or proper disposal of personal records shall be comprehensively described and classified as official policy in the writings of the business entity, including corporate and employee handbooks and similar corporate documents.

            4. (1) Any person or business that violates this section may be subject to a civil penalty of not more than three thousand dollars.

            (2) Any individual aggrieved by a violation of this section may bring a civil action to enjoin further violations and to recover actual damages, costs, and reasonable attorney's fees.

                                                                                  •