United States: NAIC Cybersecurity Task Force Weighs Credit Freezes

Last Updated: August 2 2016
Article by Josephine Cicchetti

On May 24-25, the NAIC Cybersecurity (EX) Task Force held an interim meeting to hear comments from various industry trade organizations and other interested parties on the proposed  Insurance Data Security Model Law exposed for comment on March 2. While the comments' themes largely echoed the written comments previously submitted by the interested parties, there was also a lengthy discussion on appropriate consumer protection measures to potentially implement following a data security breach. The March 2 draft of the Model Law provides for up to one year of free identity theft coverage, but the possibility that a credit freeze could be a superior measure was discussed at length.

What is a Credit Freeze?

credit freeze allows a consumer to restrict access to his or her credit report. As most creditors must access a consumer's credit report before approving a new account, a credit freeze prevents identity thieves from opening any new accounts in a consumer's name. However, this measure specifically protects consumers from the opening of new fraudulent accounts, and not against fraudulent activity in their existing accounts or other types of identity theft. In a data breach situation where personally identifiable information is stolen, a credit freeze is useful to protect against potential credit fraud. While credit freezes are often advised for identity theft victims, they can also be implemented to prevent fraudulent activity tied to a consumer's credit.

How it Works

To place a freeze on their credit report,  consumers must contact each of the three major credit bureaus – Equifax, Experian, and TransUnion – and provide personal information along with their freeze request. Fees vary from state to state, and can range from $3 to $10 to initiate a freeze. Each credit reporting company will provide the consumer with a unique personal identification number to use should they need to lift the freeze. It can take from 15 minutes to three days to initiate a freeze, depending on whether the request is made via postal mail, electronically, or by phone. Electronic and phone requests are the quickest ways to initiate a credit freeze.

Once a freeze is placed on a consumer's credit, access is completely restricted and no new accounts can be opened unless the freeze is temporarily lifted by the consumer. All existing creditors will still have access to the consumer's credit report throughout the freeze.

To lift a freeze, a consumer must contact each credit bureau again and request to either temporarily or permanently lift the freeze. A temporary lift costs from $2 to $12 depending on the state, and consumers must pay each time they need to make their credit available to a potential creditor or new employer. If the consumer can determine which credit bureau the potential creditor will use to check the consumer's credit, they can simply unfreeze their credit with that particular bureau to avoid extra costs. Some states waive temporary lift fees for identity theft victims or persons over age 65. To be eligible for the fee waiver, identity theft victims typically must provide a copy of a police report and in some cases an affidavit stating they believe that they are a victim of identity theft. The freeze can be lifted for a particular party or for a specified time period, and will be reinstated after that period. A permanent lift is typically free, though it depends on the state. The consumer can dictate when they want to permanently lift the freeze.

State Laws

All 50 states and the District of Columbia have enacted legislation to allow consumers to freeze their credit reports. Any consumer can request a freeze regardless of whether they are a data breach or identity theft victim. Although all states allow any consumer to initiate a freeze, some also mention the ability to freeze on behalf of minors or incapacitated persons. The National Conference of State Legislatures website notes that 22 states allow "parents, legal guardians or other representatives of minors to place a security freeze on the minor's credit report: Arizona, Connecticut, Delaware, Florida, Georgia, Illinois, Indiana, Iowa, Louisiana, Maine, Maryland, Michigan, New York, North Carolina, Oregon, South Carolina, South Dakota, Tennessee, Texas, Utah, Virginia and Wisconsin." Some states also waive the fees to freeze and unfreeze for consumers who can prove they are identity theft victims or are over age 65.

Equifax created a fairly comprehensive list of each state's fees for the freeze placement, date range lift, specific party lift, permanent removal, and replacement pin. The list also includes whether each state assesses different fees for identity theft victims or persons 65 years of age or older. In New Jersey, for example, identity theft victims are still required to pay a $5 fee for each temporary or permanent lift on a freeze. Whereas in New York, identity theft victims are not charged any fees. In South Carolina, both identity theft victims and non-victims can implement and suspend a credit freeze entirely for free. In Illinois, all fees are waived for active-duty military. 

After a data breach, organizations must comply with data breach notification laws, which also vary by state. Forty-seven states and the District of Columbia have enacted legislation requiring private and government entities to notify individuals of a security breach involving their personal information. Security breach laws differ on who must comply with the law, the definition of "personal information", what constitutes a breach, requirements for notice, and exemptions. A 2015 amendment to Connecticut's breach notification law requires that an entity provide information on how to implement a credit freeze in its breach notification to consumers (Conn. Gen. Stat. § 36a-701b(2)(B) (2015)).

Benefits of Credit Freezing as a Data Breach Remedy

In the event of a data breach, a credit freeze is considered a more effective remedy than credit monitoring in terms of prevention. Credit monitoring will only alert a consumer to fraud after the activity has occurred, while a credit freeze could prevent the fraud from happening altogether. The freeze can completely shield a consumer's credit from inquiries (See Should you Freeze your Credit After a Data Breach?). While the credit freeze is in place, consumers can continue to use their existing accounts and will still be able to access free annual credit reports. Existing creditors, or collection agencies working on their behalf, will also have continued access throughout the freeze.

The credit restriction has the added bonus of forcing consumers to become more strategic and thoughtful when they want to open new credit. Generally, a credit freeze should not negatively impact a consumer's credit score. In fact, some believe it is more likely to help a consumer's credit score due to the reduced number of hard inquiries that can be made during the freeze (Hard inquiries are credit reviews made in the course of a lending decision that may have a small negative impact on a consumer's credit score.). Although credit freezes create more obstacles for consumers who want to open new accounts, they protect consumers' credit in a way that credit monitoring cannot. The benefit of this added security measure will likely outweigh the cost of implementation and maintaining a frozen account for data breach victims concerned about identity theft.

Drawbacks to Credit Freezing

Despite its benefits, freezing credit has some drawbacks. While a credit freeze can specifically prevent credit fraud, consumers are still vulnerable to other types of identity theft and abuse of their personal information.  Some consumers may also be deterred by the cost and high-maintenance strategy of having to unfreeze and reinitiate the freeze every time they need access to their credit. For consumers who do not typically need access, such as senior citizens, a freeze may not cause any inconvenience. However, for those who must access their credit history often, the freeze is much more burdensome.

Some have also expressed concern that a credit freeze could result in an increase in a consumer's insurance rates.  Since some insurance companies use credit scores as a factor in determining insurance scores for underwriting and rating consumers, the inability to access the consumer's credit report may be erroneously interpreted as a negative factor by the insurer. (See NAIC Credit-Based Insurance Scores).  Steps to mitigate this potential risk would need to be devised if credit freezes are mandated by the Model Law.

Ultimately, a credit freeze doesn't completely eliminate the risk of becoming a fraud victim. Identity thieves still possess other tools to use against consumers. A freeze also will not stop misuse of a consumer's existing accounts and will prevent credit monitoring companies from tracking a consumer's credit to look for that misuse. So, while this tool effectively blocks fraudulent credit activity, it is important for consumers to continue to monitor their existing accounts and request credit reports as often as possible to keep track of those accounts.

Conclusion

To use the credit freeze as a Model Law requirement, regulators and the credit reporting agencies would need to work together to determine how this remedy could be administered in a breach situation. Since the individual affected must initiate a freeze of his or her credit, procedures would need to be devised to provide for individual decisions on whether a credit freeze is the correct or desired approach for a particular individual. The costs and administrative resources needed for such a measure may render this suggestion a good idea that falls short of a workable mandate.

The author would like to acknowledge the significant contributions of Laura Wall, summer associate from the University of Florida, in the preparation of the article.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
Troutman Sanders LLP
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Troutman Sanders LLP
Related Articles
 
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions