Pin Me

Credit Freeze and Security Breach Notification Laws

written by: •edited by: Brian Nelson•updated: 4/13/2009

This article explains how credit freeze and security breach notification laws vary within the United States of America.

  • slide 1 of 1

    The credit freeze gives the consumer or the identity theft victim the option to give or deny permission to prospective creditors to access their credit information using a unique PIN (Personal Identification Number) provided by the credit reporting agency. The credit freeze can stop potential identity theft when fraudulent identification is used to apply for a new account. The credit freeze can help creditors recognize false credit applications.

    The three main American credit reporting agencies (Equifax, Experian and TransUnion) are offering credit freezes to everyone with a credit report in the United States. This includes the states where previously only identity theft victims had the option: Alaska (July 1, 2009), Arkansas, Kansas, Mississippi and South Dakota and the states which don’t have credit freeze laws as of January 1, 2009: Alabama, Michigan and Missouri.

    For those of us who do not have the option to place a freeze on our credit files, include in the Fraud Alert a request for each prospective creditor to confirm with a phone call at a number you specify (preferably the cell phone you take with you) that you actually did apply for the credit or change of address. Although the cost to the consumer varies with the individual USA state, the permanent credit freeze will remain till the consumer removes it except in Kentucky, Nebraska, Pennsylvania and South Dakota where the credit freeze will expire in seven years.

    As of January 2009, 44 American states have security breach notification laws that vary from the consumer must be notified of any security breach to informing consumers of a security breach by only one of the following: corporations, private entities, non-profit organizations, state agencies, data brokers, information brokers, HIPAA entities or financial institutions. The six states without security breach notification laws are Alabama, Kentucky, Mississippi, Missouri, New Mexico and South Dakota.

    In the State of Georgia, only information brokers and data collectors must notify consumers of a security breach. In the States of Indiana, Oregon, Pennsylvania, South Carolina, Virginia and Washington, state agencies and private entities must inform consumers of a security breach unless private entities have their own disclosure procedures. In the State of Maine, only information brokers must notify customers of a security breach. The State of Ohio excludes financial institutions, credit unions, trust companies and affiliates which are required by Federal law to inform customers of an information security breach. The State of Oklahoma only requires state agencies to inform consumers of a security breach if the government entity does not maintain its’ own notification procedures. Financial institutions can be exempt from notifying customers of a security breach in West Virginia and Wyoming. And, the States of Hawaii, Indiana, Michigan, Minnesota and Rhode Island exclude under certain circumstances both financial institutions and HIPAA entities.

    Individual USA state laws regarding security breach notification and credit freeze laws can be found at http://www.pirg.org/consumer/credit/statelaws.htm from the federation of USA state Public Interest Research Groups.

    Look at the list of data brokers that you can and can’t opt-out from and links to American state identity theft laws.

    Although companies are considered separate individuals for tax purposes, companies are composed of people. And, people can make mistakes. People are anyone who works for companies or visits your home and are tempted when they see your checkbook, access/password information, or identification lying around in plain sight. I sure am not intending to say that the majority of employees or anyone who visits your home is a thief. Criminals prey on individual trust to manipulate you to reveal your personal information such as website or corporate network usernames and passwords or identification numbers. But, according to statistics a lost or stolen wallet, pocketbook or checkbook, people whom you know or wrongly trust produce a higher percentage of identity theft and corporate intrusion than a coordinated theft of company data or a pickpocket stealing your wallet. Look at chronologies of corporate data breaches and since February 2005.

    In the European Union, information concerning individuals must be kept accurate and current. Information can only be collected for a specific purpose and kept only as long as is necessary for the particular purpose. Transfers of personal information to third parties are restricted without the permission of the subject (in this situation, the consumer) of the information. Transfers of information to companies in any country without sufficient privacy protection according to European Union standards is restricted.

    The Asia Pacific Economic Cooperation (APEC) is a joint effort to nurture free and open trade and investment along with anticipation of resolution for privacy violations that can occur between an Asian country and Australia, Brunei Darussalam, Canada, Chile, China, Hong Kong, Indonesia, Japan, Korea, Malaysia, Mexico, New Guinea, New Zealand, Peru, Philippines, Russian Federation, Singapore, Taipei (Chinese), Thailand, United States and Vietnam.

    Play this game from OnGuard Online at http://www.onguardonline.gov/games/id-theft-faceoff.aspx to see how you rate with protecting your personal information.