Under the recent amendments to the Fair Credit Reporting Act (FCRA) passed by Congress, as of September 21, 2018, consumer credit reporting agencies can no longer charge fees for consumers to place or lift credit freezes on their credit file.

The Economic Growth, Regulatory Relief, and Consumer Protection Act (the Act) revised Sec. 605A of the FCRA (15 U.S.C. § 1681c-1) and now allows consumers to place and lift credit freezes (also known as "security freezes") with the consumer reporting agencies free of charge.

Prior to the Act's amendment of the FCRA, consumer reporting agencies could charge consumers for adding or removing these protections from their credit file.

Additionally, under the Act, consumers have the right to receive fraud alerts on their consumer files for at least one year, as opposed to the 90-day timeframe provided for by the FCRA pre-Act, and up to seven years if they have been victims of identity theft. 

Effect of Amendments on Data Security Incident Response

By eliminating fees that consumer reporting agencies can charge consumers to protect their credit file, the Act modifies companies' data breach notification obligations where affected individuals reside in certain states.

Prior to the Act, states such as Massachusetts and Rhode Island required any consumer data breach notice made under their respective breach notification statutes to mention possible fees that a consumer reporting agency may charge to place a credit freeze on a consumer's file. 

With the Act's elimination of such fees, some state regulators have begun advising companies to remove references of possible credit freeze fees from their breach notifications to consumers.

Consequently, companies should revise their breach response and notification protocols to ensure that they no longer reference such fees when providing notice of a data security incident.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.