Tuesday, December 12, 2006

Credit protectors gain profits - NY Times story

Eric Dash has a major story on page A1 of the December 12, 2006 The New York Times, "Protectors, Too, Gather Profits From ID Theft." Although new laws now require the three major companies to provide any consumer one free consolidated reports a year, the three major companies are making money selling consumers their own reports, as are other monitoring services. Some states, such as California, are passing laws allowing consumers to freeze their files, and about one-sixth of consumers do this. There are new problems when existing social security numbers are used with wrong names (as with illegal immigrants).

Again, a due diligence system based on NCOA or identification intelligence (like Idology -- next post) could prevent a lot of this. But there are questions as to whether credit grantors have sufficient incentive to perform the diligence. There would be concerns if the requirements extended to smaller businesses.

The three major reporting companies are Trans-Union, Equifax, and Experian. Experian is a spin-off from TRW, which had acquired Chilton; Equifax had acquired Pinger. There was considerable consolidation in the credit reporting business at the end of the 1980s (Chilton was bought by Borg-Warner in a leveraged buyout through Merrill Lynch Capital Partners; and then sold to TRW for cash after corporate raider Irwin Jacobs threatened Borg-Warner with a hostile takeover. I remember this well; I worked for Chilton in Dallas, on Fitzhugh in Oak Lawn, from 1981-1988, as a computer

Thursday, November 30, 2006

Idology: A useful took for credit grantor due diligence?

First, don’t misspell the name of the company. It’s “Idology”, not “Ideology.”

In the trial over the constitutionality of COPA (see this blog), the government has mentioned a company and service named Idology as possibly a source of efficient age verification.

I looked at the website, and Idology does offer a variety of knowledge based identification and age verification services. The age verification could apply in circumstances regarding sale of certain items or services to minors, or, depending on how COPA or other possible similar legislation plays out in court and in practice, access to certain websites or at least certain portions of these sites.

The identity verification obviously could fit into a due diligence procedure by credit grantors (banks, mortgage companies, auto dealers, etc) to make sure that they do not give credit to imposters

The trademarked service is called “ExpectID”. There is an expansion called “Knowledge Based Authentication” “ExpectID IQ” based on multiple choice questions. . I could not tell from the site whether the company’s knowledge base checks NCOA (National Change of Address) – the main concept promoted by this particular blog -- but this is obviously a potential source to check if it can be made available to such a service in a systematic and secure fashion.

There is a variation called “ExpectID PA” which is supposed to comply with the USA Patriot Act, and check against blacklists of known or suspected terrorists.

Of course, as I have indicated on other blogs, there is a legitimate concern about “private investigation” companies using lists of non-convicted “suspects” to eliminate potential employees, renters, customers, or other stakeholders, although security clearance procedures of the US Government do this all the time. There is concern of monitoring how names could get on these lists.

The other concern, of course, is the whole philosophy of "know thy customer," which has been articulated as being required of banks and other large companies since well before 9/11. Libertarians have properly pointed out that such similar requirements could be made of small companies with no economies of scale, or even offerers of free content on the web.

The blogspot thread that discusses COPA is here.

Sunday, October 22, 2006

Health care concerns

A story by Max Alexander in the November 2006 Reader's Digest
discusses this issue with respect to medical treatment and hospital bills.

In a system like what is proposed here, hospitals and medical providers would be required to send a notification to the preferred NCOA address, so that if treatment was obtained under false pretenses, the real person would find out.

There are HIPAA (Health Insurance Portability and Accountability Act) concerns. Sometimes an individual is unable to review records of treatment obtained under false pretenses, and medical providrs are reluctant to change them. A medical consumer can request an "accounting of disclosures."

There is a further discussion on World Privacy Forum,

Sunday, October 15, 2006

Consumer responsibilities

Consumers would have some responsibilities for this kind of system to work. A consumer who did not receive expected bills or bank statements for several days (by mail or email) or who could not access his or her accounts online, would be expected to check with the appropriate institution.

The system would need to provide the capability for a USPS Post Office to check a National Change of Address record in a secured manner. A customer who suspected some sort of tampering or error would need to be able to ask a cleared postal employee to check on the NCOA system with an internal USPS application, not open to public access on the Internet. A mainframe application might be preferred for this, as traditional IBM mainframe applications and databases (DB2) may be easier to secure.

Thursday, October 05, 2006

More possible components of such a due diligence system

While companies sell shredding machines and television stations (like NBC4 in Washington) have community shreds, I still maintain, steadfastly, that we shouldn’t have to waste our time on shredding unwelcome snail mail (let alone emails and telemarketing calls) simply because banks, retailers, auto dealers and even mortgage companies can’t verify who is applying for credit, or don’t tale the trouble to do their due diligence.

As I have suggested, it is not too much to ask of American business to set up a new system to take care of this problem, and I suppose that could employ me again, as a baby boomer retiree. I’ve looked around for some links today for companies and agencies that have the components of such a system.

Let’s start first with the United States Postal Service.

The heart of the USPS National Change of Address system is now called NCOALink (as it has since 2004). Here is the most important link describing the system:

The system consists of component parts, some of which can be used separately by businesses at various steps in automated mailing processes. For example, FastForward is discussed at this link:

However, a client verification system such as described here would probably have to talk to NCOALink as part of its major strategy. I worked on implementing an earlier version of this in 1998 in Minneapolis at ReliaStar (today, ING).

Another important component is address standardization with Code1. For example, some people put both a PO Box and street address on an address, but it is the address immediately above city, state, and zip that is used. Apartment numbers should be on the same like as the street address, and they must be included when present. The USPS has a system called CASS to guarantee carrier route bar codes on mailpieces, called CASS, link here.

The vendor that I worked with (in 1998) was Group1. The main link is http://www.g1.com The company has been acquired by Pitney Bowes but it has a major presence in Prince Georges County, MD near Washington DC. The visitor can get a general idea of how this kind of technology is going today by visiting their home page and visiting all the links on the right-hand side called “Business Solutions.” The Group1 service associated with MCOA is VeriMove, (Move Update) at this link:
Their Code-1 Suite is at this link.

There is a related product that oversees data quality called DataSight. http://www.g1.com/Products/DataQuality/DataSight/
Associated with this is a data “merger-purge” process to eliminate redundancy. There are several products, such as this:

Grpup1 has a blog, http://blog.g1.com/ , for example describing a related new USPS product OneCode:

Another major vendor is Harte-Hanks http://www.harte-hanks.com , which the visitor can explore.

One has the impression from all of this that a due diligence system for credit grantors could be built from various components like these, using various XML protocols to exchange data, and both IBM mainframe and client-server midtiers to process the verifications. A major systems development contractor like EDS, Perot, IBM, Unisys, Computer Sciences, etc. could manage the effort, and it very likely would be managed from the Washington DC area. Credit reporting companies (like Experian, TransUnion, and Equifax) would be part of the loop, as would major software developers (especially Microsoft). But it can and should be done.

Monday, September 25, 2006

Outline of a project plan to implement a due diligence mechanism protecting personal identity

This document reproduces what was originally published in Jan 2006. Because the index got overwritten, I am recreating it here.

Project Proposal

Although there are many ways that identity theft happens, the most troublesome seems to be the capability of a crook to create a fictitious "person instance" by using another’s social security number and then take out loans, which get reported as legal liabilities for the target person. A person may not learn of this problem for months, and could suffer loss of employment or housing as a result. This possibility is one of the main reasons why frequent checks of credit reports is necessary.

There exists an opportunity to prevent this kind of crime by encouraging every person to register a preferred contact address, and then requiring any credit grantor (mortgage company, credit card company, auto finance) to confirm a lone with that address. The United States Postal Service has a facility, National Change of Address (NCOA) that could form the kernel of such a policy. Any person, when he or she moves, can provide the USPS preferred mailing address information, and can provide more than one address. NCOA follows a number of automated practices, such as Code-1 (a standard format for mailing addresses), FastForward, and Move/Forward and Move/Update, an intricate procedure set which allows major companies to maintain preferred mailing addresses. Major corporate postal customers must follow rigorous audit standards to use these facilities. Various software vendors, such as Group-1 and Harthanks, provide software for companies to interface with the USPS. It is easy to imagine expanding such a system to include preferred e-mail addresses.

Public policy (through legislation or administrative law) would then be changed to require all businesses making loans to confirm the obligation at an NCOA address. Therefore if an obligation was made by another party duplicating the target person's identity, that person would receive a notification immediately. The remaining issue would then be securing the NCOA processing as much as possible, but this seems to be much more secure than many other information banks have been, as illustrated by many media reports.

There could be many wrinkles in this process. For example, when a consumer receives an original or a replacement credit card from a bank, the consumer typically call's the bank's 800 number (or goes to its web site) to activate the card. The credit card would, according to proposed law, would have to be mailed only to the preferred NCOA address. Activation information would have to include a preferred address code, a nine-digit zip plus box number if applicable, and that might well have to be encrypted or mapped to a random number for the consumer to use.

Would this violate personal privacy, in that it gives the government a specific contact point to track any person (as a "mark")? In an ideological sense, maybe. But in practice, most active people need to know that they can be reliably contacted, at least by certified mail if nothing else, in case there is some kind of problem that they don’t know about. In the middle 1990s I had a situation with a mortgage that had been assumed. Without such contact, a person could even have a default judgment entered against himself or herself in certain kinds of circumstances. For persons who operate Internet websites, ICANN and registration companies require the maintenance of a reliable USPS land contact address.

It is also important to note that such a preferred address would not need to be where the person lives. An individual would not need to give away his residence to potential stalkers, for example, although certain Internet search or “skip trace” companies make it easier to find such a person. One could use a land address at a mailing company (such as UPS’s Mail Boxes, Etc.). One could use a place of employment with the employer's permission. There is no reason why a simple USPD PO Box would not suffice (although many businesses require a client to use a land address). When the primary address is an email address, one could look to a company like pobox.com as providing a paradigm for preferred contact.

In a sense, this is what happens now when a consumer's record has a fraud alert with a major credit reporting company (Experian, Equifax, Trans-Union). The lender has to do a lot more due diligence. I think the diligence must be performed in all cases. But there also needs to be an extra layer in the setup to ensure a preferred and guaranteed contact address, and the USPS NCOA is the logical starting point.

Of course, implementation of such a proposal would require major software enhancements by the USPS, companies that provide mail-related software, and software related to credit card, mortgage and auto loan processing. But there's no harm these days in giving I.T. people more work and in creating some jobs.

There are more details at this link. I certainly welcome comments.

Update: Nov. 22, 2011

See IT blog today for related entry.

Wednesday, September 20, 2006

FTC link; conversation at NBC4 Expo in Washington

Many of the important posts on this blog are in the June archive. (Please visit).
The most important is the "Outline of a Broad Strategy...." I am having difficulty making the exact href work. Please visit the archive and eyeball for that string.

September 17 2006 I went to the NBC4Connected Expo at the Washington Convention Center, and had a chat about this proposal with a booth sponsored by the FTC. There really doesn't seem to be a good reason why credit grantors don't practice more due diligence in verifying identities before giving credit (as NCOA would certainly be a good tool if the system were developed).

Here is there link on this problem.

Tuesday, September 12, 2006

AARP warns about scams for medical treatment

The September 2006 AARP Bulletin warns about stealing personal information to get medical treatment, and there seem to be insufficient safeguards in place to prevent this. The scammer becomes a pretexter, and calls another person to get personal information, and then uses it to get medical treatment. There is even a danger that a hospital could mix up treatment records of different patients and give incorrect care. Ironically, HIPAA provisions might interfere with attempts by victims to force hosptials to admit errors, billing a fraudulent patient.

Use of the NCOA USPS system as proposed in this blog would be effective in preventing this kind of medical billing fraud.

For more on consumer scams, visit this fraud alert link.

Monday, June 26, 2006

One defense is a credit freeze

On the following link below, I have the text of HR 3997, The Financial Data Protection Act of 2005/2006.

This would set a federal standard for allowing credit freezes by consumers, but apparently only those consumers who have become victims of identity theft.

17 states allow any consumer to freeze his credit, which means that no creditor can see his credit report. That prevents his identity from being stolen for new credit accounts. The consumer can unfreeze at any time for a specific reason (like buying a house).

This law might prevent some consumers in these states from being able to freeze their credit.

Saturday, June 24, 2006

Development of a due diligence system would require planning, coordination

The following posts suggest the development of a large scale system to help credit grantors perform the due diligence necessary to prevent indentities of consumers from being "copied," and the system would rely heavily on the National Change of Address (NCOA) system as a clearinghouse.

The project would probably be developed by a large software or systems development company, with a consortium of numerous financial institutions (banks, insurance companies, mortgaters) as trial customers for implementation and quality assurance testing. Other software infrastructure companies (Microsoft) would probably participate. The United States Postal Service (USPS) would also be involved as hooks (and sophisticated audits) would have to be put in the systen. XML (various protocols like SOAP) would probably be used to move data between systems in a secure fashion. The software development company would provide formal project management.

Earlier indices (they may drop off as I add more posts):
. http://billboushkaid.blogspot.com/2006/09/outline-of-project-plan-to-implement.html

Friday, June 16, 2006

ABC 20-20 has a segment on this topic

ABC "20-20" on June 16, 2006 had a segment on this, "what they don-t want you to know". They presented a young man who reassembled a torn-up credit card application to a bank and got credit in his parents' name -- as an experiment -- and then informed the bank of the security hole.
The websites are http://www.cockeyed.com and http://www.kevin-jarrett.net/blog/?p=798

Of course, this just reinforces my theory that banks are careless about this, and don't check for obvious holes. The suggestion on the blog entries below is intended to get them to.

One wonders why sundering someone's credit report because of sloppy business practices isn't a form of libel.

The 20-20 segment also demoed a laptop that can download info from a speed pass without touching the consumer, and various scams involving ATMs.

Monday, June 12, 2006

Note the intention of this blog

Please notice that the intention of this blog is to develop a technical and administrative and legal solution to the identity theft problem.

There is space for advertising on this blog. So far, the advertising sense modules have delivered public service ads because they see prevalence of a senstive subject matter ("identity theft") on this page. An automated script can not always determine the writer's intention the way a human being reader can. In time, I hope that this problem is resolved.

I have been putting some of my more sensitive discussions on separate blogs in order to isolate them from many of the advertising scripts.

Friday, June 09, 2006

USPS link as is today

Here is the link to the USPS (United States Postal Service) site today, that explains how address change works now.


There is a Privacy Act statement.

Obviously, to put in a plan like what is suggested below would require legal attention from Congress first. Such a mechanism would require an appropriation from Congress (starting in the House of Representatives), and a systems development effort managed by the appropriate agency (probably the USPS).

Several companies (software companies and financial services companies) would have to be involved in developing the interfaces and performing the quality assurance and platformed inplementation. The interfaces would probably involve passing data as XML and using various modern W3C information exchange protocols like SOAP. A project like this would certainly generate some information technology jobs.

Wednesday, June 07, 2006

Physical security issues would exist even if there were no Internet

It is important to realize that the VA burglary (or similar losses of personal data from laptop computers or work diskettes or CD’s, as in transport) could have happened even without an Internet. This is an issue involving old-fashioned old school workplace security—especially in a high gas price world where telecommuting and working from home has been encouraged. Another issue is that when major financial implementations are tested, companies typically use copies of live production data for system parallels. To do QA testing without such copying of data would introduce enormous costs to many I.T. projects.

But there is a danger that someone who steals such data (indirectly, by stealing a "real world" laptop or data disks or CDs) would try to sell it on the Internet. That lure exists as long as credit grantors continue to give out easy credit without a system (such as a link to NCOA) to verify the real identity of an applicant for credit. In network broadcast interviews such as NBC Nightly News on June 7 2006, reporting about the VA issue, military servicemembers have expressed additional concerns about their personal and family security. These observations, already made on major media outlets and broadcast channels are important, because they could lead to calls for regulation of the Internet that would increase the barrier to entry; newbies could be construed as indirectly adding to the security hazards (of, for example, military personnel).

In mid June 2006 there was another major physical theft in Washington DC, a laptop from the home of an insurance agent in Washington DC for an international financial services company. The personal information of DC employees and retirees may be compromised. Now I worked in the insurance industry myself for years (in IT), and technology to allow agents to carry information to sell in the field (and upload and download as necessary) advanced rapidly in the 90s. Most of these issues involve the policyholder and contract information, not the Internet. Again, the practical consequences for ordinary citizens using financial services would be much less serious if credit grantors had and used regular verification systems before finalizing credit (as in the following entries).

The Internet does figure in to some of the events. In June 2006 the Navy reported that the personal information of sailors and their families had been posted from spreadsheets on a civilian website. The Defense Department appartently does sweeps of the public Internet for classified information or for personal information about military personnel. The information was removed immediately when it was found, and the site was removed. (Washington Post, June 24, 2006, p A5). Websites that capture credit card information could add to the risk under current systems.

One of the flaws of the Child Online Protection Act (COPA) is that it would encourage small website owners to process credit card information, and this could also pose security issues for the credit card holders.

Tuesday, June 06, 2006

From my resume (previous NCOA project):

I worked on a project to install National Change of Address at a major financial services company, ReliaStar (now bought out by ING) in 1998.

Reduced volume of return mail (by about 20%), by implementing new NCOA (National Change of Address) interface and by clientization of major Vantage system.

This project was implemented in 1998.

From 1981 to 1988 I worked for a major credit reporting company, Chilton, in Dallas, TX. It would be bought out by TRW in 1989, and that would be spun off as Experian in the 1990s. There is still a major presence in Allen, TX, north of Dallas.

My resume is at this link or at this link on blogspot.

Physical security within employer premises and when working at home

Recently there have occurred sensational media reports about loss of or theft of data cd’s or diskettes or laptop computers containing live production data about consumers, including their social security numbers. The most sensational of these reports concerned the Veterans Administration, with loss of data of upwards of 26 million veterans, from a laptop computer from a private home that was burglarized. Both government agencies and private companies have been involved. Sometimes data has been lost in shipment.

It has become common for workers to telecommute and work from home, which in some cases could mean live data residing in caches on personal computers. In such cases, it is becoming clear that employers should always provide a company owned computer for such company use only. But probably only employees whose homes meet certain physical security standards (such as no sliding glass doors and deadbolt locks) should be allowed to work from home this way.

Likewise, employees often take paperwork home, and this can contain confidential information. That may have been all right in the 1980s and 1990s, but it would not be all right today. One problem was that quality assurance testing was often based on extracting and loading large amounts of production data. Production parallel “beta test” runs often involved full parallels on full production data for weeks at a time, with all output reports checked. Today such tests must be done in a much more secure manner. For financial systems implementations, companies will have to invest much more in adequate test data design with non-live data. Possibly randomizing scrub routines could be used.

Still, if credit grantors were forced to be much more careful in validating the identities of consumers, such as in succeeding entries on this blog, the problem would be much less serious.

It is probably not a good idea for small businesses to do their own credit card and merchant account processing, giving liability concerns if their servers were compromised. It is probably safer to outsource such processing to companies with enough scale to secure personal data properly. But large companies, as we know, have not always been reliable.

Would granting of credit be delayed by this strategy?

Would this strategy slow down the granting of credit or cause price increases?

I would think it would mean that a credit card could not be activated until the consumer received a verification letter at a "preferred" NCOA US postal (or conceivably email) address. I don't think this would usually be a problem.

With car purchases, typically a consumer has to wait a day or two to pick up a new car, and that amount of time would give the car dealer time to send to prove the identity of the consumer and send the verification letter. Really, doesn't a car dealer want to be careful before letting someone drive a $30000 vehicle off the lot?

Some kinds of instant financing, as with computer stores, I do see some roadblocks.

Outline of a broad strategy to protect personal identiy

This entry has been moved to the blog file for Sept 25, 2006. Please look there.

Welcome to my blog on stopping identity theft

I am starting a couple of new blogs on specific issues that have developed during the Internet age. We all know that with all of the opportunities brought by the Internet, there are new risks, to security, loss of privacy, exposure to unwanted materials by children, and the like.

One particular problem has been identity theft. A particularly disturbing scenario is that credit grantors (banks with credit cards, car dealers, and the like) sometimes give credit to individuals using another person's social security number and various other fictitious information. The original individual finds that person's fraudulent account on his credit report. Why don't credit grantors check more carefully before giving credit?

This blog will discuss this scenario.

Because it is referenced above, here is the text of HR 3997, a bill, the proposed Financial Data Protection Act of 2006

Financial Data Protection Act of 2006 (Reported in House)

[For text of introduced bill, see copy of bill as introduced on October 6, 2005]


To amend the Fair Credit Reporting Act to provide for secure financial data, and for other purposes.

Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,


(a) Short Title- This Act may be cited as the `Financial Data Protection Act of 2006'.

(b) Findings- The Congress finds as follows:

(1) Protecting the security of sensitive information relating to consumers is important to limiting account fraud and identity theft.

(2) While the Gramm-Leach-Bliley Act requires financial institutions to protect the security and confidentiality of the nonpublic personal information of the customers of financial institutions, the scope of covered entities and type of information needs to be broadened to fully protect consumers.

(3) Some Federal agencies have issued model guidance under the Gramm-Leach-Bliley Act requiring banks to investigate and provide notice to customers of breaches of data security involving customer information that could lead to account fraud or identity theft, but these standards need to broadened to apply to other entities acting as consumer reporters, in order to create a single, uniform data security standard that applies to all parties to transactions involving such financial information.

(4) Requiring all consumer reporters handling sensitive financial personal information to provide notice to consumers of data security breaches that are likely to result in harm or inconvenience will help consumers protect themselves and mitigate against the risk of identity theft or account fraud.

(5) Therefore, all consumer reporters should--

(A) protect sensitive financial personal information;

(B) investigate potential data security breaches;

(C) provide breach notices as appropriate to the United States Secret Service, functional regulators, involved third parties, and consumers;

(D) restore the security of the information and improve safeguards after a breach; and

(E) provide consumers free file monitoring where appropriate to reduce the risk of identity theft.


(a) In General- As set forth in section 630 of the Fair Credit Reporting Act, as amended by the Act, in the event a consumer reporter becomes aware of information suggesting a breach of data security, such consumer reporter shall immediately conduct an investigation, and notify authorities and consumers as appropriate.

(b) FCRA Data Security Amendment- The Fair Credit Reporting Act (15 U.S.C. 1681) is amended by adding at the end the following new section:


`(a) Protection of Sensitive Financial Personal Information-

`(1) DATA SECURITY OBLIGATION POLICY- It is the policy of the Congress that each consumer reporter has an affirmative and continuing obligation to protect the security and confidentiality of sensitive financial personal information.

`(2) SECURITY POLICIES AND PROCEDURES- Each consumer reporter shall have an affirmative obligation to implement, and a continuing obligation to maintain, reasonable policies and procedures to protect the security and confidentiality of sensitive financial personal information relating to any consumer that is handled by such consumer reporter against any loss, unauthorized access, or misuse that is reasonably likely to result in harm or inconvenience to such consumer.

`(3) DATA DESTRUCTION AND DATA DISPOSAL POLICIES AND PROCEDURES- The policies and procedures described in paragraph (2) shall include providing for the proper disposal of sensitive financial personal information in accordance with the standards, guidelines, or regulations issued pursuant to this title.

`(b) Investigation Requirements-

`(1) INVESTIGATION TRIGGER- A consumer reporter shall immediately conduct a data security breach investigation if it--

`(A) becomes aware of any information indicating a reasonable likelihood that a data security breach has occurred or is unavoidable;

`(B) becomes aware of information indicating an unusual pattern of misuse of sensitive financial personal information handled by a consumer reporter indicative of financial fraud; or

`(C) receives a notice under subsection (e).

`(2) SCOPE OF INVESTIGATION- Such investigation shall be conducted in a manner commensurate with the nature and the amount of the sensitive financial personal information that is subject to the breach of data security, including appropriate actions to--

`(A) assess the nature and scope of the potential breach;

`(B) identify the sensitive financial personal information potentially involved;

`(C) determine whether such information is usable by the parties causing the breach; and

`(D) determine the likelihood that such information has been, or will be, misused in a manner that may cause harm or inconvenience to the related consumer.


`(A) SUGGESTED SAFEGUARDS- The regulators described in subsection (k)(1) shall jointly develop standards and guidelines to identify and regularly update appropriate technology safeguards for making consumer reporter's sensitive financial personal information unusable in a manner commensurate with the nature and the amount of such information, including--

`(i) consideration of the encryption standards adopted by the National Institute of Standards and Technology for use by the Federal Government; and

`(ii) appropriate management and protection of keys or codes necessary to protect the integrity of encrypted information.

`(B) SAFEGUARD FACTORS- In determining the likelihood of a data security breach, a consumer reporter may consider whether the information subject to the potential breach is unusable because it is encrypted, redacted, requires technology to use that is not generally commercially available, or has otherwise similarly been rendered unreadable.

`(C) SAFE HARBOR FOR PROTECTED DATA- As set forth in the standards and guidelines issued pursuant to subparagraph (A), a consumer reporter may reasonably conclude that a data security breach is not likely to have occurred where the sensitive personal financial information involved has been encrypted, redacted, requires technology to use that is not generally commercially available, or is otherwise unlikely to be usable

`(D) EXCEPTION- Subparagraphs (B) and (C) shall not apply if the consumer reporter becomes aware of information that would reasonably indicate that the information that was the subject of the potential breach is usable by the entities causing the breach or potentially misusing the information, for example because--

`(i) an encryption code is potentially compromised,

`(ii) the entities are believed to have the technology to access the information; or

`(iii) there is an unusual pattern of misuse of such information indicative of financial fraud.

`(c) Breach Notices- If a consumer reporter determines that a breach of data security has occurred, is likely to have occurred, or is unavoidable, the consumer reporter shall in the order listed--

`(1) promptly notify the United States Secret Service;

`(2) promptly notify the appropriate functional regulatory agency for the consumer reporter;

`(3) notify as appropriate and without unreasonable delay--

`(A) any third party entity that owns or is obligated on an affected financial account as set forth in the standards or guidelines pursuant to subsection (k)(1)(G), including in such notification information reasonably identifying the nature and scope of the breach and the sensitive financial personal information involved; and

`(B) any other appropriate critical third parties whose involvement is necessary to investigate the breach; and

`(4) without unreasonable delay notify any affected consumers to the extent required in subsection (f), as well as--

`(A) each nationwide consumer reporting agency, in the case of a breach involving sensitive financial identity information relating to 1,000 or more consumers; and

`(B) any other appropriate critical third parties who will be required to undertake further action with respect to such information to protect such consumers from resulting fraud or identity theft.

`(d) System Restoration Requirements- If a consumer reporter determines that a breach of data security has occurred, is likely to have occurred, or is unavoidable, the consumer reporter shall take prompt and reasonable measures to--

`(1) repair the breach and restore the security and confidentiality of the sensitive financial personal information involved to limit further unauthorized misuse of such information; and

`(2) restore the integrity of the consumer reporter's data security safeguards and make appropriate improvements to its data security policies and procedures.

`(e) Third Party Duties-

`(1) COORDINATED INVESTIGATION- Whenever any consumer reporter that handles sensitive financial personal information for or on behalf of another party becomes aware that an investigation is required under subsection (b) with respect to such information, the consumer reporter shall--

`(A) promptly notify the other party of the breach;

`(B) conduct a coordinated investigation with the other party as described in subsection (b); and

`(C) ensure that the appropriate notices are provided as required under subsection (f).

`(2) CONTRACTUAL OBLIGATION REQUIRED- No consumer reporter may provide sensitive financial personal information to a third party, unless such third party agrees to fulfill the obligations imposed by subsections (a), (d), and (h), as well as that whenever the third party becomes aware that a breach of data security has occurred, is reasonably likely to have occurred, or is unavoidable, with respect to such information, the third party shall be obligated--

`(A) to provide notice of the potential breach to the consumer reporter;

`(B) to conduct a coordinated investigation with the consumer reporter to identify the sensitive financial personal information involved and determine if the potential breach is reasonably likely to result in harm or inconvenience to any consumer to whom the information relates; and

`(C) provide any notices required under this section, except to the extent that such notices are provided by the consumer reporter in a manner meeting the requirements of this section.

`(f) Consumer Notice-

`(1) POTENTIAL IDENTITY THEFT RISK AND FRAUDULENT TRANSACTION RISK- A consumer reporter shall provide a consumer notice if, at any point the consumer reporter becomes aware--

`(A) that a breach of data security is reasonably likely to have occurred or be unavoidable, with respect to sensitive financial personal information handled by the consumer reporter;

`(B) of information reasonably identifying the nature and scope of the breach; and

`(C) that such information is reasonably likely to have been or to be misused in a manner causing harm or inconvenience against the consumers to whom such information relates to--

`(i) commit identity theft if the information is sensitive financial identity information, or

`(ii) make fraudulent transactions on such consumers' financial accounts if the information is sensitive financial account information.


`(A) STANDARDS FOR SAFEGUARDS- The regulators described in subsection (k)(1) shall issue guidelines relating to the types of sophisticated neural networks and security programs that are likely to detect fraudulent account activity and at what point detection of such activity is sufficient to avoid consumer notice under this subsection.

`(B) ALTERNATIVE SAFEGUARDS- In determining the likelihood of misuse of sensitive financial account information and whether a notice is required under paragraph (1), the consumer reporter may additionally consider--

`(i) consistent with any standards promulgated under subparagraph (A), whether any neural networks or security programs used by, or on behalf of, the consumer reporter have detected, or are likely to detect on an ongoing basis over a reasonable period of time, fraudulent transactions resulting from the breach of data security; or

`(ii) whether no harm or inconvenience is reasonably likely to have occurred, because for example the related consumer account has been closed or its number has been changed.

`(3) COORDINATION WITH THE FAIR DEBT COLLECTION PRACTICES ACT- The provision of a notice to the extent such notice and its contents are required under this section shall not be considered a communication under the Fair Debt Collection Practices Act.


`(A) IN GENERAL- The Commission shall coordinate with the other government entities identified in this section to create a publicly available list of data security breaches that have triggered a notice to consumers under this subsection within the last 12 months.

`(B) LISTED INFORMATION- The publicly available list described in subparagraph (A) shall include the following:

`(i) The identity of the party responsible that suffered the breach.

`(ii) A general description of the nature and scope of the breach.

`(iii) Any financial fraud mitigation or other services provided by such party to the affected consumers, including the telephone number and other appropriate contact information for accessing such services.

`(g) Timing, Content, and Manner of Notices-

`(1) DELAY OF NOTICE FOR LAW ENFORCEMENT PURPOSES- If a consumer reporter receives a written request from an appropriate law enforcement agency indicating that the provision of a notice under subsection (c)(3) or (f) would impede a criminal or civil investigation by that law enforcement agency, or an oral request from an appropriate law enforcement agency indicating that such a written request will be provided within 2 business days--

`(A) the consumer reporter shall delay, or in the case of a foreign law enforcement agency may delay, providing such notice until--

`(i) the law enforcement agency informs the consumer reporter that such notice will no longer impede the investigation; or

`(ii) the law enforcement agency fails to--

`(I) provide within 10 days a written request to continue such delay for a specific time that is approved by a court of competent jurisdiction; or

`(II) in the case of an oral request for a delay, provide a written request within 2 business days, and if such delay is requested for more than 10 additional days, such request must be approved by a court of competent jurisdiction; and

`(B) the consumer reporter may--

`(i) conduct appropriate security measures that are not inconsistent with such request; and

`(ii) contact such law enforcement agency to determine whether any such inconsistency would be created by such measures.

`(2) HOLD HARMLESS PROVISION- A consumer reporter shall not be liable for any fraud mitigation costs or for any losses that would not have occurred but for notice to or the provision of sensitive financial personal information to law enforcement, or the delay provided for under this subsection, except that--

`(A) nothing in this subparagraph shall be construed as creating any inference with respect to the establishment or existence of any such liability; and

`(B) this subparagraph shall not apply if the costs or losses would not have occurred had the consumer reporter undertaken reasonable system restoration requirements to the extent required under subsection (d), or other similar provision of law, except to the extent that such system restoration was delayed at the request of law enforcement.

`(3) CONTENT OF CONSUMER NOTICE- Any notice required to be provided by a consumer reporter to a consumer under subsection (f)(1), and any notice required in accordance with subsection (e)(2)(A), shall be provided in a standardized transmission or exclusively colored envelope, and shall include the following in a clear and conspicuous manner:

`(A) An appropriate heading or notice title.

`(B) A description of the nature and types of information and accounts as appropriate that were, or are reasonably believed to have been, subject to the breach of data security.

`(C) A statement identifying the party responsible, if known, that suffered the breach, including an explanation of the relationship of such party to the consumer.

`(D) If known, the date, or the best reasonable approximation of the period of time, on or within which sensitive financial personal information related to the consumer was, or is reasonably believed to have been, subject to a breach.

`(E) A general description of the actions taken by the consumer reporter to restore the security and confidentiality of the breached information.

`(F) A telephone number by which a consumer to whom the breached information relates may call free of charge to obtain additional information about how to respond to the breach.

`(G) With respect to notices involving sensitive financial identity information, a copy of the summary of rights of consumer victims of fraud or identity theft prepared by the Commission under section 609(d), as well as any additional appropriate information on how the consumer may--

`(i) obtain a copy of a consumer report free of charge in accordance with section 612;

`(ii) place a fraud alert in any file relating to the consumer at a consumer reporting agency under section 605A to discourage unauthorized use; and

`(iii) contact the Commission for more detailed information.

`(H) With respect to notices involving sensitive financial identity information, a prominent statement in accordance with subsection (h) that file monitoring will be made available to the consumer free of charge for a period of not less than six months, together with a telephone number for requesting such services, and may also include such additional contact information as a mailing address, e-mail, or Internet website address.

`(I) The approximate date the notice is being issued.

`(4) OTHER TRANSMISSION OF NOTICE- The notice described in paragraph (3) may be made by other means of transmission (such as electronic or oral) to a consumer only if--

`(A) the consumer has affirmatively consented to such use, has not withdrawn such consent, and with respect to electronic transmissions is provided with the appropriate statements related to such consent as described in section 101(c)(1) of the Electronic Signatures in Global and National Commerce Act; and

`(B) all of the relevant information in paragraph (3) is communicated to such consumer in such transmission.


`(A) IN GENERAL- A consumer reporter, whether acting directly or in coordination with another entity--

`(i) shall not be required to provide more than 1 notice with respect to any breach of data security to any affected consumer, so long as such notice meets all the applicable requirements of this section, and

`(ii) shall not be required to provide a notice with respect to any consumer if a notice meeting the applicable requirements of this section has already been provided to such consumer by another entity.

`(B) UPDATING NOTICES- If a consumer notice is provided to consumers pursuant only to subsection (f)(1)(C)(ii) (relating to sensitive financial account information), and the consumer reporter subsequently becomes aware of a reasonable likelihood that sensitive financial personal information involved in the breach is being misused in a manner causing harm or inconvenience against such consumer to commit identity theft, an additional notice shall be provided to such consumers as well any other appropriate parties under this section, including a copy of the Commission's summary of rights and file monitoring mitigation instructions under subparagraphs (G) and (H) of paragraph (3).


`(A) IN GENERAL- Except as otherwise established by written agreement between the consumer reporter and its agents or third party servicers, the entity that suffered a breach of data security shall be--

`(i) primarily responsible for providing any consumer notices and file monitoring required under this section with respect to such breach; and

`(ii) responsible for the reasonable actual costs of any notices provided under this section.

`(B) IDENTIFICATION TO CONSUMERS- No such agreement shall restrict the ability of a consumer reporter to identify the entity responsible for the breach to consumers

`(C) NO CHARGE TO CONSUMERS- The cost for the notices and file monitoring described in subparagraph (A) may not be charged to the related consumers.

`(h) Financial Fraud Mitigation-

`(1) FREE FILE MONITORING- Any consumer reporter that is required to provide notice to a consumer under subsection (f)(1)(C)(i), or that is deemed to be in compliance with such requirement by operation of subsection (j), if requested by the consumer before the end of the 90-day period beginning on the date of such notice, shall make available to the consumer, free of charge and for at least a 6-month period--

`(A) a service that monitors nationwide credit activity regarding a consumer from a consumer reporting agency described in section 603(p); or

`(B) a service that provides identity-monitoring to consumers on a nationwide basis that meets the guidelines described in paragraph (2).

`(2) IDENTITY MONITORING NETWORKS- The regulators described in subsection (k)(1) shall issue guidelines on the type of identity monitoring networks that are likely to detect fraudulent identity activity regarding a consumer on a nationwide basis and would satisfy the requirements of paragraph (1).

`(3) JOINT RULEMAKING FOR SAFE HARBOR- In accordance with subsection (j), the Secretary of the Treasury, the Board of Governors of the Federal Reserve System, and the Commission shall jointly develop standards and guidelines, which shall be issued by all functional regulatory agencies, that, in any case in which--

`(A) free file monitoring is offered under paragraph (1) to a consumer;

`(B) subsequent to the offer, another party misuses sensitive financial identity information on the consumer obtained through the breach of data security (that gave rise to such offer) to commit identity theft against the consumer; and

`(C) at the time of such breach the consumer reporter met the requirements of subsections (a) and (d),

exempts the consumer reporter from any liability for any harm to the consumer resulting from such misuse, other than any direct pecuniary loss or loss pursuant to agreement by the consumer reporter, except that nothing in this paragraph shall be construed as creating any inference with respect to the establishment or existence of any such liability.

`(i) Credit Security Freeze-

`(1) DEFINITIONS- For purposes of this subsection, the following definitions shall apply:

`(A) SECURITY FREEZE- The term `security freeze' means a notice placed in a credit report on a consumer, at the request of the consumer who is a victim of identity theft, that prohibits the consumer reporting agency from releasing all or any part of the credit report, without the express authorization of the consumer, except as otherwise provided in this section.

`(B) REVIEWING THE ACCOUNT; ACCOUNT REVIEW- The terms `reviewing the account' and `account review' include activities related to account maintenance, monitoring, credit line increases, and account upgrades and enhancements.


`(A) IN GENERAL- A consumer who has been the victim of identity theft may place a security freeze on the file of such consumer at any consumer reporting agency by--

`(i) making a request in writing by certified mail to the consumer reporting agency;

`(ii) submitting an identity theft report to the consumer reporting agency; and

`(iii) providing such evidence of the identity of the consumer as such consumer reporting agency may require under paragraph (5).

`(B) PROMPT IMPOSITION OF FREEZE- A consumer reporting agency shall place a security freeze on a credit report on a consumer no later than 5 business days after receiving a written request from the consumer in accordance with subparagraph (A).


`(i) IN GENERAL- Except as otherwise provided in this subsection, if a security freeze is in place with respect to any consumer, information from the consumer's credit report may not be released by the consumer reporting agency or reseller to any third party, including another consumer reporting agency or reseller, without the prior express authorization from the consumer or as otherwise permitted in this section.

`(ii) ADVISING OF EXISTENCE OF SECURITY FREEZE- Clause (i) shall not be construed as preventing a consumer reporting agency or reseller from advising a third party that a security freeze is in effect with respect to the credit report on the consumer.

`(D) CONFIRMATION OF FREEZE; ACCESS CODE- Any consumer reporting agency that receives a consumer request for a security freeze in accordance with subparagraph (A) shall--

`(i) send a written confirmation of the security freeze to the consumer within 10 business days of placing the freeze; and

`(ii) at the same time, provide the consumer with a unique personal identification number or password (other than the Social Security account number of any consumer) to be used by the consumer when providing authorization for the release of the credit report of the consumer to a specific party or for a specific period of time.


`(A) NOTICE BY CONSUMER- If the consumer wishes to allow the credit report on the consumer to be accessed by a specific party or for a specific period of time while a freeze is in place, the consumer shall--

`(i) contact the consumer reporting agency in any manner the agency may provide;

`(ii) request that the security freeze be temporarily lifted; and

`(iii) provide--

`(I) proper identification;

`(II) the unique personal identification number or password provided by the consumer reporting agency pursuant to paragraph (2)(D)(ii); and

`(III) the proper information regarding the third party who is to receive the credit report or the time period for which the report shall be available to users of the credit report.

`(B) TIMELY RESPONSE REQUIRED- A consumer reporting agency that receives a request from a consumer to temporarily lift a security freeze on a credit report in accordance with subparagraph (A) shall comply with the request no later than 3 business days after receiving the request.

`(C) PROCEDURES FOR REQUESTS- A consumer reporting agency may develop procedures involving the use of telephone, fax, or, upon the consent of the consumer in the manner required by the Electronic Signatures in Global and National Commerce Act for notices legally required to be in writing, by the Internet, e-mail, or other electronic medium to receive and process a request from a consumer to temporarily lift a security freeze on a credit report pursuant to subparagraph (A) in an expedited manner.


`(A) IN GENERAL- A consumer reporting agency may remove or temporarily lift a security freeze placed on a credit report on a consumer only in the following cases:

`(i) Upon receiving a consumer request for a temporary lift of the security freeze in accordance with paragraph (3)(A).

`(ii) Upon receiving a consumer request for the removal of the security freeze in accordance with subparagraph (C).

`(iii) Upon a determination by the consumer reporting agency that the security freeze was imposed on the credit report due to a material misrepresentation of fact by the consumer.

`(B) NOTICE TO CONSUMER OF DETERMINATION- If a consumer reporting agency makes a determination described in subparagraph (A)(iii) with a respect to a security freeze imposed on the credit report on any consumer, the consumer reporting agency shall notify the consumer of such determination in writing prior to removing the security freeze on such credit report.


`(i) IN GENERAL- Except as provided in this subsection, a security freeze shall remain in place until the consumer requests that the security freeze be removed.

`(ii) PROCEDURE FOR REMOVING SECURITY FREEZE- A consumer reporting agency shall remove a security freeze within 3 business days of receiving a request for removal from the consumer who provides--

`(I) proper identification; and

`(II) the unique personal identification number or password provided by the consumer reporting agency pursuant to paragraph (2)(D)(ii).

`(5) PROPER IDENTIFICATION REQUIRED- A consumer reporting agency shall require proper identification of any person who makes a request to impose, temporarily lift, or permanently remove a security freeze on the credit report of any consumer under this section.


`(A) a third party requests access to a consumer's credit report on which a security freeze is in effect under this section in connection with an application by the consumer for credit or any other use; and

`(B) the consumer does not allow the consumer's credit report to be accessed by that specific party or during the specific period such application is pending,

the third party may treat the application as incomplete.


`(A) AGGREGATORS AND OTHER AGENCIES- This subsection shall not apply to a consumer reporting agency that acts only as a reseller of credit information by assembling and merging information contained in the database of another consumer reporting agency or multiple consumer reporting agencies, and does not maintain a permanent database of credit information from which new credit reports are produced.

`(B) OTHER EXEMPTED ENTITIES- The following entities shall not be required to place a security freeze in a credit report:

`(i) An entity which provides check verification or fraud prevention services, including but not limited to, reports on incidents of fraud, verification or authentication of a consumer's identification, or authorizations for the purpose of approving or processing negotiable instruments, electronic funds transfers, or similar methods of payments.

`(ii) A deposit account information service company, which issues reports regarding account closures due to fraud, substantial overdrafts, automated teller machine abuse, or similar negative information regarding a consumer, to inquiring banks or other financial institutions for use only in reviewing a consumer request for a deposit account at the inquiring bank or other financial institution.

`(8) EXCEPTIONS- This subsection shall not apply with respect to the use of a consumer credit report by any of the following for the purpose described:

`(A) A person, or any affiliate, agent, or assignee of any person, with whom the consumer has or, prior to an assignment, had an account, contract, or debtor-creditor relationship for the purposes of reviewing the account or collecting the financial obligation owing for the account, contract, or debt.

`(B) An affiliate, agent, assignee, or prospective assignee of a person to whom access has been granted under paragraph (3) for purposes of facilitating the extension of credit or other permissible use of the report in accordance with the consumer's request under such paragraph.

`(C) Any State or local agency, law enforcement agency, trial court, or person acting pursuant to a court order, warrant, or subpoena.

`(D) A Federal, State, or local agency that administers a program for establishing an enforcing child support obligations for the purpose of administering such program.

`(E) A Federal, State, or local health agency, or any agent or assignee of such agency, acting to investigate fraud within the jurisdiction of such agency.

`(F) A Federal, State, or local tax agency, or any agent or assignee of such agency, acting to investigate or collect delinquent taxes or unpaid court orders or to fulfill any of other statutory responsibility of such agency.

`(G) Any person that intends to use the information in accordance with section 604(c).

`(H) Any person administering a credit file monitoring subscription or similar service to which the consumer has subscribed.

`(I) Any person for the purpose of providing a consumer with a copy of the credit report or credit score of the consumer upon the consumer's request.

`(9) PROHIBITION ON FEE- A consumer reporting agency may not impose a fee for placing, removing, or removing for a specific party or parties a security freeze on a credit report.

`(10) NOTICE OF RIGHTS- At any time that a consumer is required to receive a summary of rights required under section 609(c)(1) or 609(d)(1) the following notice shall be included:

`Consumers Who Are Victims of Identity Theft Have the Right to Obtain a Security Freeze on Your Consumer Report

`You may obtain a security freeze on your consumer credit report at no charge if you are a victim of identity theft and you submit a copy of an identity theft report you have filed with a law enforcement agency about unlawful use of your personal information by another person.

`The security freeze will prohibit a credit reporting agency from releasing any information in your consumer credit report without your express authorization.