Skip to main content
Menu Icon Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations
Section Content

Upcoming Events

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • CFPB issues updated FCRA model disclosures to implement Economic Growth, Regulatory Relief, and Consumer Protection Act amendments

    Federal Issues

    On September 12, the CFPB issued an interim final rule to comply with the Economic Growth, Regulatory Relief, and Consumer Protection Act (the “Act”) (previously Senate bill S. 2155). Section 301(a)(1) of the Act amends the FCRA to add section 605A(i), which requires consumer reporting agencies to provide national security freezes free of charge to consumers. Additionally, the new section requires that whenever a consumer is provided a “summary of rights” under section 609, the summary must include a notice regarding the right to obtain a free security freeze. The Act also amends FCRA section 605A(a)(1)(A) to extend from 90 days to one year the minimum time that a credit reporting agency must include an initial fraud alert on a consumer’s file.

    The interim final rule, which is effective on September 21, amends the model forms in Regulation V to comply with the Act. The interim file rule also permits various compliance alternatives to mitigate the impact of the changes to these forms, including allowing the use of the 2012 model forms so long as a separate page provided in the same transmittal contains the new information required.

    Comments on the interim final rule will be due 60 days after publication in the Federal Register. Links to the English and Spanish versions of the revised Summary of Consumer Rights and revised Summary Consumer Identity Theft Rights, covered by Section 609 of the FCRA, are available here.

    Federal Issues CFPB FCRA Disclosures S. 2155 EGRRCPA Security Freeze

    Share page with AddThis
  • Rhode Island and New Hampshire prohibit security freeze fees

    Privacy, Cyber Risk & Data Security

    On June 14, the governor of Rhode Island signed S2562, which prohibits consumer reporting agencies from charging a fee for security freeze services, including the placement, removal, or temporary lifting of a security freeze for a consumer. The law also prohibits the charging of a fee in connection with issuing or reissuing a personal identification number that is used by a consumer to authorize the use of his or her credit or to remove the freeze. Previously, Rhode Island allowed credit reporting agencies to charge a fee up to $10 dollars for security freeze services and $5 for reissuances of personal identification numbers, although customers were entitled to a free initial reissuance of their personal identification numbers. The law is effective September 1.

    Similarly, on June 8, the governor of New Hampshire signed HB1700, which prohibits a consumer reporting agency from charging a fee to place, remove, or temporarily lift a security freeze. The law also prohibits a consumer reporting agency from charging a fee to issue or replace a consumer’s personal identification number used in connection with the security freeze. The law requires the consumer reporting agencies to place the freeze within three business days after receiving a consumer request, if the consumer makes the request via mail and within 24 hours after receiving a consumer request, if made electronically or by telephone. The law is effective January 1, 2019.

    Privacy/Cyber Risk & Data Security Security Freeze State Issues State Legislation Credit Reporting Agency

    Share page with AddThis
  • Illinois, Connecticut, and Hawaii pass security freeze legislation

    Privacy, Cyber Risk & Data Security

    On June 8, the Illinois governor approved HB 4095, which amends the Consumer Fraud and Deceptive Business Practices Act to prohibit consumer reporting agencies (CRAs) from charging consumers a fee for placing, removing, or temporarily lifting a security freeze. The act takes effect immediately.  The Act also permits a consumer to request a security freeze by phone or electronic means, in addition to a request in writing.

    This followed a similar action by the Connecticut governor, who on June 4 signed SB 472 to prohibit CRAs from charging a fee to consumers to place, remove, or temporarily lift a security freeze on a consumer's account. The legislation also, among other things, (i) prohibits CRAs from—as a condition of placing the freeze—requiring that consumers agree to limit their claims against the agency; (ii) increases the length of time that identity theft prevention and mitigation services must be provided to a consumer after a security breach from 12 to 24 months; and (iii) provides that the banking commissioner will adopt regulations that require CRAs to provide it with “dedicated points of contact” to allow the Department of Banking to assist consumers when a data breach occurs. The act takes effect October 1.

    On June 6, the Hawaii governor signed HB 2342 to enhance protection of consumer information by expanding the methods consumers may use to request security freezes, and by prohibiting credit reporting agencies (CRAs) from charging consumers a fee to place, remove, or temporarily lift a security freeze on a consumer's credit report or records. Among other things, the act now permits a consumer or a “protected consumer’s representative” to request a security freeze via first-class mail, a telephone call, or through a CRA’s designated secure website, and also preserves the CRA’s ability to lift a security freeze when the freeze was executed due to material misrepresentation by the consumer. When lifting a security freeze, CRAs are required to send written confirmation to the affected consumer within five business days. The act takes effect July 1.

    Privacy/Cyber Risk & Data Security State Issues State Legislation Security Freeze Data Breach Credit Reporting Agency

    Share page with AddThis
  • Louisiana governor amends data breach notification law; passes security freeze legislation

    Privacy, Cyber Risk & Data Security

    On May 20, the Louisiana governor signed SB361 to amend the state’s existing data breach notification law. The amendments require entities conducting business in the state or that own or license computerized data to (i) “implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure,” and (ii) take “all reasonable steps” to destroy documents containing personal information once they no longer need to be retained. Key amendment highlights are as follows:

    • revises definitions, which include (i) defining “breach of the security of the system” to now apply to “the compromise… of computerized data that results in, or there is a reasonable likelihood to result in. . .” unauthorized acquisition and access; and (ii) revising the definition of “personal information” to include residents of the state, and include passport numbers and biometric data;
    • requires entities to notify affected individuals within 60 days of the discovery of a data breach—pending the needs of law enforcement—and further stipulates that if a determination is made to delay notification, the Attorney General must be notified in writing within the 60-day period to receive an extension of time;
    • provides that substitute notification—consisting of email notification, a notice posted to the entity’s website, and notifications to major statewide media—may be provided should the entity demonstrate that (i) the cost of the notification would exceed $100,000; (ii) the affected class of persons exceeds 100,000; or (iii) the entities lack sufficient contact information; and
    • states that violations of the Database Security Breach Notification Law constitute an unfair act or practice.

    The amendments take effect August 1.

    Separately, on May 15, the governor signed SB127, which prohibits credit reporting agencies from charging a fee for placing, reinstating, temporarily lifting, or revoking a security freeze. The bill became effective upon signature by the governor.

    Privacy/Cyber Risk & Data Security State Issues State Legislation Security Freeze Data Breach

    Share page with AddThis
  • Minnesota prohibits security freezes fees, authorizes security freezes for protected persons

    State Issues

    On May 19, the Minnesota governor signed HF1243, which, effective immediately, prohibits credit reporting agencies for charging a fee for the placement, removal, or temporary lift of a security freeze. The law previously allowed for a fee of $5.00. Additionally, effective January 1, 2019, the law authorizes the placement of a security freeze for a protected person – defined by the law as an individual under the age of 16 – if a consumer reporting agency receives a request by the protected person’s representative and certain authentication standards are met. The law also outlines the requirements for removing a security freeze for a protected person.

    State Issues Credit Reporting Agency Security Freeze State Legislation Privacy/Cyber Risk & Data Security

    Share page with AddThis
  • Maryland and Georgia prohibit security freeze fees

    State Issues

    On May 15, the Maryland governor signed SB 202, which prohibits consumer reporting agencies from charging consumers, or protected consumers’ representatives, a fee for the placement, removal, or temporary lift of a security freeze. Previously, Maryland allowed for a fee, in most circumstances, of up to $5.00 for each placement, temporary lift, or removal. The law takes effect October 1.

    On May 3, the Georgia governor signed SB 376, which amends Georgia law to prohibit consumer reporting agencies from charging a fee for placing or removing a security freeze on a consumer’s account. Previously, Georgia law allowed for a fee of no more than $3.00 for each security freeze placement, removal, or temporary lift, unless the consumer was a victim of identity theft or over 65 years old. Under SB 376, consumer reporting agencies may not charge a fee to any consumer at any time for the placement or removal of a security freeze. This law takes effect July 1.

    State Issues State Legislation Credit Reporting Agency Security Freeze Privacy/Cyber Risk & Data Security

    Share page with AddThis
  • Maryland expands authority over credit reporting agencies

    State Issues

    On May 8, Maryland governor Larry Hogan signed HB848, which expands Maryland’s authority over Credit Reporting Agencies (CRAs) by requiring CRAs to develop a secure system to process electronic requests for placing, lifting, or removing a security freeze. Additionally, the law expands the definition of “protected consumer” for purposes of free security freezes to include persons age 85 or older, certain members of the military, and incarcerated individuals. The law also (i) codifies an existing requirement that CRAs register with the Office of the Commissioner of Financial Regulation (OCFR); (ii) allows the OCFR to investigate written consumer complaints against CRAs; and (iii) increases the maximum civil monetary penalty to $1,000 for the first violation and $2,500 for each subsequent violation. The law is effective October 1.

    State Issues Credit Reporting Agency Security Freeze Privacy/Cyber Risk & Data Security

    Share page with AddThis
  • States pass legislation updating security freeze laws

    Privacy, Cyber Risk & Data Security

    On April 12, the Kansas governor signed HB 2580, which amends existing law to prohibit consumer reporting agencies (CRAs) from charging a fee to a consumer for placing, temporarily lifting, or removing a security freeze on his or her credit report. Moreover, it prevents CRAs from charging fees for replacing a previously requested personal identification number. The law is effective July 1.

    Additionally, on April 10, the Iowa governor signed SF 2177, which updates the state’s security freeze law to prohibit CRAs from charging a fee to a consumer for placing, temporarily lifting, removing, or reinstating a security freeze on his or her credit report. Additionally, among other things, the law (i) expands the methods a consumer may use to submit a request for a security freeze; (ii) reduces the number of days CRAs must commence a security freeze after receiving a request from five to three business days; (iii) requires CRAs to send written confirmation within three business days to a consumer after placing a security freeze; and (iv) states that if a consumer requests a security freeze from a CRA that “compiles and maintains files on a nationwide basis,” the CRA must attempt to identify other CRAs that also maintain nationwide files so that the consumer may request additional security freezes. The amendments generally take effect July 1, with the exception of certain provisions that take effect January 1, 2019.

    Visit here for additional InfoBytes coverage on states that have recently enacted similar prohibitions.

    Privacy/Cyber Risk & Data Security State Issues State Legislation Data Breach Security Freeze

    Share page with AddThis
  • Arizona governor amends data breach law, updates security freeze legislation

    Privacy, Cyber Risk & Data Security

    On April 11, the Arizona governor signed HB 2154 to amend the state’s existing data breach notification law. The amendments require entities conducting business in the state that maintain, own, or licenses unencrypted and unredacted computerized data to conduct a reasonable investigation of possible breaches of personal information. Owners or licensees of personal information must then notify affected individuals within 45 days, pending the needs of law enforcement. Key amendment highlights are as follows:

    • makes revisions to definitions, which include (i) expanding “personal information” to include a combination of a user’s name, password/security question, and answer that grants access to an online account; (ii) defining the term “redact”; and (iii) clarifying that a “specified data element” now includes an individual’s unique “private key” used when authenticating or signing an electronic record;
    • adds a requirement that for breaches impacting more than 1,000 individuals, the Attorney General and the three largest consumer reporting agencies must be notified in writing;
    • amends a provision concerning “substitute notice,” which removes requirements that a notification must to be sent to affected individuals via email as well as notifying major statewide media. The amendments now stipulate that an entity is required to notify the Attorney General’s office in writing to demonstrate the reasons for substitute notice in addition to posting a notice on the entity’s website for at least 45 days; and
    • clarifies a section that states entities are no longer required to notify affected individuals if an independent third-party forensic auditor or law enforcement agency “determines after a reasonable investigation that a security system breach has not resulted in or is not reasonably likely to result in substantial economic loss to affected individuals.”

    Separately, on April 3, the governor signed SB 1163, which amends existing law to prohibit credit reporting agencies from charging a fee to a consumer for the placement, removal, or temporary lifting of a security freeze. Moreover, it prevents credit reporting agencies from charging fees for replacing a lost personal identification number or password. 

    Both bills are scheduled to take effect 91 days after the end of the legislative session.

    Privacy/Cyber Risk & Data Security State Issues State Legislation Data Breach Security Freeze

    Share page with AddThis
  • States pass bills amending security freeze laws

    State Issues

    On March 29, the Colorado governor signed HB 1233, which authorizes a parent or legal guardian to request a credit reporting agency place a security freeze on a protected consumer’s credit file; the law defines protected person to include a minor under 16 years of age or an individual who is a ward of the legal guardian. According to HB 1233, if no credit file exists for the protected consumer, the credit reporting agency is required to create a record and then initiate the security freeze on such record without charge. Additionally, among other things, the law prohibits the charging of a fee for the “placement, temporary lift, partial lift, or removal of a security freeze” on a protected consumer’s credit file and allows for a protected consumer to remove the security freeze if they demonstrate the representative’s authority is no longer valid. HB 1233 becomes effective on January 1, 2019.

    On March 30, the Kentucky governor signed HB 46, which updates Kentucky’s security freeze law to, among other things, allow a consumer to request a security freeze by methods established by the credit reporting agency in addition to written notification, and remove the requirement that a security freeze expire after seven years. The law continues to allow for a charge of up to ten dollars for the placement, temporary lift, or removal of a security freeze unless the consumer is a victim of identity theft and provides the credit reporting agency with a valid police report. The law is effective immediately, as the text notes that security breaches and the risk of identity theft are on the rise.

    State Issues State Legislation Security Freeze Data Breach Privacy/Cyber Risk & Data Security Credit Reporting Agency

    Share page with AddThis

Pages