Monday, June 26, 2006

One defense is a credit freeze

On the following link below, I have the text of HR 3997, The Financial Data Protection Act of 2005/2006.
http://billboushkaid.blogspot.com/2006/06/welcome-to-my-blog-on-stopping.html

This would set a federal standard for allowing credit freezes by consumers, but apparently only those consumers who have become victims of identity theft.

17 states allow any consumer to freeze his credit, which means that no creditor can see his credit report. That prevents his identity from being stolen for new credit accounts. The consumer can unfreeze at any time for a specific reason (like buying a house).

This law might prevent some consumers in these states from being able to freeze their credit.

Saturday, June 24, 2006

Development of a due diligence system would require planning, coordination

The following posts suggest the development of a large scale system to help credit grantors perform the due diligence necessary to prevent indentities of consumers from being "copied," and the system would rely heavily on the National Change of Address (NCOA) system as a clearinghouse.

The project would probably be developed by a large software or systems development company, with a consortium of numerous financial institutions (banks, insurance companies, mortgaters) as trial customers for implementation and quality assurance testing. Other software infrastructure companies (Microsoft) would probably participate. The United States Postal Service (USPS) would also be involved as hooks (and sophisticated audits) would have to be put in the systen. XML (various protocols like SOAP) would probably be used to move data between systems in a secure fashion. The software development company would provide formal project management.

Earlier indices (they may drop off as I add more posts):
http://billboushkaid.blogspot.com/2006/06/welcome-to-my-blog-on-stopping.html
and
. http://billboushkaid.blogspot.com/2006/09/outline-of-project-plan-to-implement.html

Friday, June 16, 2006

ABC 20-20 has a segment on this topic

ABC "20-20" on June 16, 2006 had a segment on this, "what they don-t want you to know". They presented a young man who reassembled a torn-up credit card application to a bank and got credit in his parents' name -- as an experiment -- and then informed the bank of the security hole.
The websites are http://www.cockeyed.com and http://www.kevin-jarrett.net/blog/?p=798

Of course, this just reinforces my theory that banks are careless about this, and don't check for obvious holes. The suggestion on the blog entries below is intended to get them to.

One wonders why sundering someone's credit report because of sloppy business practices isn't a form of libel.

The 20-20 segment also demoed a laptop that can download info from a speed pass without touching the consumer, and various scams involving ATMs.

Monday, June 12, 2006

Note the intention of this blog

Please notice that the intention of this blog is to develop a technical and administrative and legal solution to the identity theft problem.

There is space for advertising on this blog. So far, the advertising sense modules have delivered public service ads because they see prevalence of a senstive subject matter ("identity theft") on this page. An automated script can not always determine the writer's intention the way a human being reader can. In time, I hope that this problem is resolved.

I have been putting some of my more sensitive discussions on separate blogs in order to isolate them from many of the advertising scripts.

Friday, June 09, 2006

USPS link as is today

Here is the link to the USPS (United States Postal Service) site today, that explains how address change works now.

https://moversguide.usps.com/?referral=USPS

There is a Privacy Act statement.

Obviously, to put in a plan like what is suggested below would require legal attention from Congress first. Such a mechanism would require an appropriation from Congress (starting in the House of Representatives), and a systems development effort managed by the appropriate agency (probably the USPS).

Several companies (software companies and financial services companies) would have to be involved in developing the interfaces and performing the quality assurance and platformed inplementation. The interfaces would probably involve passing data as XML and using various modern W3C information exchange protocols like SOAP. A project like this would certainly generate some information technology jobs.

Wednesday, June 07, 2006

Physical security issues would exist even if there were no Internet

It is important to realize that the VA burglary (or similar losses of personal data from laptop computers or work diskettes or CD’s, as in transport) could have happened even without an Internet. This is an issue involving old-fashioned old school workplace security—especially in a high gas price world where telecommuting and working from home has been encouraged. Another issue is that when major financial implementations are tested, companies typically use copies of live production data for system parallels. To do QA testing without such copying of data would introduce enormous costs to many I.T. projects.

But there is a danger that someone who steals such data (indirectly, by stealing a "real world" laptop or data disks or CDs) would try to sell it on the Internet. That lure exists as long as credit grantors continue to give out easy credit without a system (such as a link to NCOA) to verify the real identity of an applicant for credit. In network broadcast interviews such as NBC Nightly News on June 7 2006, reporting about the VA issue, military servicemembers have expressed additional concerns about their personal and family security. These observations, already made on major media outlets and broadcast channels are important, because they could lead to calls for regulation of the Internet that would increase the barrier to entry; newbies could be construed as indirectly adding to the security hazards (of, for example, military personnel).

In mid June 2006 there was another major physical theft in Washington DC, a laptop from the home of an insurance agent in Washington DC for an international financial services company. The personal information of DC employees and retirees may be compromised. Now I worked in the insurance industry myself for years (in IT), and technology to allow agents to carry information to sell in the field (and upload and download as necessary) advanced rapidly in the 90s. Most of these issues involve the policyholder and contract information, not the Internet. Again, the practical consequences for ordinary citizens using financial services would be much less serious if credit grantors had and used regular verification systems before finalizing credit (as in the following entries).

The Internet does figure in to some of the events. In June 2006 the Navy reported that the personal information of sailors and their families had been posted from spreadsheets on a civilian website. The Defense Department appartently does sweeps of the public Internet for classified information or for personal information about military personnel. The information was removed immediately when it was found, and the site was removed. (Washington Post, June 24, 2006, p A5). Websites that capture credit card information could add to the risk under current systems.

One of the flaws of the Child Online Protection Act (COPA) is that it would encourage small website owners to process credit card information, and this could also pose security issues for the credit card holders.

Tuesday, June 06, 2006

From my resume (previous NCOA project):

I worked on a project to install National Change of Address at a major financial services company, ReliaStar (now bought out by ING) in 1998.

Reduced volume of return mail (by about 20%), by implementing new NCOA (National Change of Address) interface and by clientization of major Vantage system.

This project was implemented in 1998.

From 1981 to 1988 I worked for a major credit reporting company, Chilton, in Dallas, TX. It would be bought out by TRW in 1989, and that would be spun off as Experian in the 1990s. There is still a major presence in Allen, TX, north of Dallas.

My resume is at this link or at this link on blogspot.

Physical security within employer premises and when working at home

Recently there have occurred sensational media reports about loss of or theft of data cd’s or diskettes or laptop computers containing live production data about consumers, including their social security numbers. The most sensational of these reports concerned the Veterans Administration, with loss of data of upwards of 26 million veterans, from a laptop computer from a private home that was burglarized. Both government agencies and private companies have been involved. Sometimes data has been lost in shipment.

It has become common for workers to telecommute and work from home, which in some cases could mean live data residing in caches on personal computers. In such cases, it is becoming clear that employers should always provide a company owned computer for such company use only. But probably only employees whose homes meet certain physical security standards (such as no sliding glass doors and deadbolt locks) should be allowed to work from home this way.

Likewise, employees often take paperwork home, and this can contain confidential information. That may have been all right in the 1980s and 1990s, but it would not be all right today. One problem was that quality assurance testing was often based on extracting and loading large amounts of production data. Production parallel “beta test” runs often involved full parallels on full production data for weeks at a time, with all output reports checked. Today such tests must be done in a much more secure manner. For financial systems implementations, companies will have to invest much more in adequate test data design with non-live data. Possibly randomizing scrub routines could be used.

Still, if credit grantors were forced to be much more careful in validating the identities of consumers, such as in succeeding entries on this blog, the problem would be much less serious.

It is probably not a good idea for small businesses to do their own credit card and merchant account processing, giving liability concerns if their servers were compromised. It is probably safer to outsource such processing to companies with enough scale to secure personal data properly. But large companies, as we know, have not always been reliable.

Would granting of credit be delayed by this strategy?

Would this strategy slow down the granting of credit or cause price increases?

I would think it would mean that a credit card could not be activated until the consumer received a verification letter at a "preferred" NCOA US postal (or conceivably email) address. I don't think this would usually be a problem.

With car purchases, typically a consumer has to wait a day or two to pick up a new car, and that amount of time would give the car dealer time to send to prove the identity of the consumer and send the verification letter. Really, doesn't a car dealer want to be careful before letting someone drive a $30000 vehicle off the lot?

Some kinds of instant financing, as with computer stores, I do see some roadblocks.

Outline of a broad strategy to protect personal identiy

This entry has been moved to the blog file for Sept 25, 2006. Please look there.

Welcome to my blog on stopping identity theft

I am starting a couple of new blogs on specific issues that have developed during the Internet age. We all know that with all of the opportunities brought by the Internet, there are new risks, to security, loss of privacy, exposure to unwanted materials by children, and the like.

One particular problem has been identity theft. A particularly disturbing scenario is that credit grantors (banks with credit cards, car dealers, and the like) sometimes give credit to individuals using another person's social security number and various other fictitious information. The original individual finds that person's fraudulent account on his credit report. Why don't credit grantors check more carefully before giving credit?

This blog will discuss this scenario.

Because it is referenced above, here is the text of HR 3997, a bill, the proposed Financial Data Protection Act of 2006

H.R.3997
Financial Data Protection Act of 2006 (Reported in House)

[For text of introduced bill, see copy of bill as introduced on October 6, 2005]

A BILL

To amend the Fair Credit Reporting Act to provide for secure financial data, and for other purposes.

Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,

SECTION 1. SHORT TITLE; FINDINGS.

(a) Short Title- This Act may be cited as the `Financial Data Protection Act of 2006'.

(b) Findings- The Congress finds as follows:

(1) Protecting the security of sensitive information relating to consumers is important to limiting account fraud and identity theft.

(2) While the Gramm-Leach-Bliley Act requires financial institutions to protect the security and confidentiality of the nonpublic personal information of the customers of financial institutions, the scope of covered entities and type of information needs to be broadened to fully protect consumers.

(3) Some Federal agencies have issued model guidance under the Gramm-Leach-Bliley Act requiring banks to investigate and provide notice to customers of breaches of data security involving customer information that could lead to account fraud or identity theft, but these standards need to broadened to apply to other entities acting as consumer reporters, in order to create a single, uniform data security standard that applies to all parties to transactions involving such financial information.

(4) Requiring all consumer reporters handling sensitive financial personal information to provide notice to consumers of data security breaches that are likely to result in harm or inconvenience will help consumers protect themselves and mitigate against the risk of identity theft or account fraud.

(5) Therefore, all consumer reporters should--

(A) protect sensitive financial personal information;

(B) investigate potential data security breaches;

(C) provide breach notices as appropriate to the United States Secret Service, functional regulators, involved third parties, and consumers;

(D) restore the security of the information and improve safeguards after a breach; and

(E) provide consumers free file monitoring where appropriate to reduce the risk of identity theft.

SEC. 2. DATA SECURITY SAFEGUARDS.

(a) In General- As set forth in section 630 of the Fair Credit Reporting Act, as amended by the Act, in the event a consumer reporter becomes aware of information suggesting a breach of data security, such consumer reporter shall immediately conduct an investigation, and notify authorities and consumers as appropriate.

(b) FCRA Data Security Amendment- The Fair Credit Reporting Act (15 U.S.C. 1681) is amended by adding at the end the following new section:

`SEC. 630. DATA SECURITY SAFEGUARDS.

`(a) Protection of Sensitive Financial Personal Information-

`(1) DATA SECURITY OBLIGATION POLICY- It is the policy of the Congress that each consumer reporter has an affirmative and continuing obligation to protect the security and confidentiality of sensitive financial personal information.

`(2) SECURITY POLICIES AND PROCEDURES- Each consumer reporter shall have an affirmative obligation to implement, and a continuing obligation to maintain, reasonable policies and procedures to protect the security and confidentiality of sensitive financial personal information relating to any consumer that is handled by such consumer reporter against any loss, unauthorized access, or misuse that is reasonably likely to result in harm or inconvenience to such consumer.

`(3) DATA DESTRUCTION AND DATA DISPOSAL POLICIES AND PROCEDURES- The policies and procedures described in paragraph (2) shall include providing for the proper disposal of sensitive financial personal information in accordance with the standards, guidelines, or regulations issued pursuant to this title.

`(b) Investigation Requirements-

`(1) INVESTIGATION TRIGGER- A consumer reporter shall immediately conduct a data security breach investigation if it--

`(A) becomes aware of any information indicating a reasonable likelihood that a data security breach has occurred or is unavoidable;

`(B) becomes aware of information indicating an unusual pattern of misuse of sensitive financial personal information handled by a consumer reporter indicative of financial fraud; or

`(C) receives a notice under subsection (e).

`(2) SCOPE OF INVESTIGATION- Such investigation shall be conducted in a manner commensurate with the nature and the amount of the sensitive financial personal information that is subject to the breach of data security, including appropriate actions to--

`(A) assess the nature and scope of the potential breach;

`(B) identify the sensitive financial personal information potentially involved;

`(C) determine whether such information is usable by the parties causing the breach; and

`(D) determine the likelihood that such information has been, or will be, misused in a manner that may cause harm or inconvenience to the related consumer.

`(3) ENCRYPTION AND OTHER SAFEGUARDS-

`(A) SUGGESTED SAFEGUARDS- The regulators described in subsection (k)(1) shall jointly develop standards and guidelines to identify and regularly update appropriate technology safeguards for making consumer reporter's sensitive financial personal information unusable in a manner commensurate with the nature and the amount of such information, including--

`(i) consideration of the encryption standards adopted by the National Institute of Standards and Technology for use by the Federal Government; and

`(ii) appropriate management and protection of keys or codes necessary to protect the integrity of encrypted information.

`(B) SAFEGUARD FACTORS- In determining the likelihood of a data security breach, a consumer reporter may consider whether the information subject to the potential breach is unusable because it is encrypted, redacted, requires technology to use that is not generally commercially available, or has otherwise similarly been rendered unreadable.

`(C) SAFE HARBOR FOR PROTECTED DATA- As set forth in the standards and guidelines issued pursuant to subparagraph (A), a consumer reporter may reasonably conclude that a data security breach is not likely to have occurred where the sensitive personal financial information involved has been encrypted, redacted, requires technology to use that is not generally commercially available, or is otherwise unlikely to be usable

`(D) EXCEPTION- Subparagraphs (B) and (C) shall not apply if the consumer reporter becomes aware of information that would reasonably indicate that the information that was the subject of the potential breach is usable by the entities causing the breach or potentially misusing the information, for example because--

`(i) an encryption code is potentially compromised,

`(ii) the entities are believed to have the technology to access the information; or

`(iii) there is an unusual pattern of misuse of such information indicative of financial fraud.

`(c) Breach Notices- If a consumer reporter determines that a breach of data security has occurred, is likely to have occurred, or is unavoidable, the consumer reporter shall in the order listed--

`(1) promptly notify the United States Secret Service;

`(2) promptly notify the appropriate functional regulatory agency for the consumer reporter;

`(3) notify as appropriate and without unreasonable delay--

`(A) any third party entity that owns or is obligated on an affected financial account as set forth in the standards or guidelines pursuant to subsection (k)(1)(G), including in such notification information reasonably identifying the nature and scope of the breach and the sensitive financial personal information involved; and

`(B) any other appropriate critical third parties whose involvement is necessary to investigate the breach; and

`(4) without unreasonable delay notify any affected consumers to the extent required in subsection (f), as well as--

`(A) each nationwide consumer reporting agency, in the case of a breach involving sensitive financial identity information relating to 1,000 or more consumers; and

`(B) any other appropriate critical third parties who will be required to undertake further action with respect to such information to protect such consumers from resulting fraud or identity theft.

`(d) System Restoration Requirements- If a consumer reporter determines that a breach of data security has occurred, is likely to have occurred, or is unavoidable, the consumer reporter shall take prompt and reasonable measures to--

`(1) repair the breach and restore the security and confidentiality of the sensitive financial personal information involved to limit further unauthorized misuse of such information; and

`(2) restore the integrity of the consumer reporter's data security safeguards and make appropriate improvements to its data security policies and procedures.

`(e) Third Party Duties-

`(1) COORDINATED INVESTIGATION- Whenever any consumer reporter that handles sensitive financial personal information for or on behalf of another party becomes aware that an investigation is required under subsection (b) with respect to such information, the consumer reporter shall--

`(A) promptly notify the other party of the breach;

`(B) conduct a coordinated investigation with the other party as described in subsection (b); and

`(C) ensure that the appropriate notices are provided as required under subsection (f).

`(2) CONTRACTUAL OBLIGATION REQUIRED- No consumer reporter may provide sensitive financial personal information to a third party, unless such third party agrees to fulfill the obligations imposed by subsections (a), (d), and (h), as well as that whenever the third party becomes aware that a breach of data security has occurred, is reasonably likely to have occurred, or is unavoidable, with respect to such information, the third party shall be obligated--

`(A) to provide notice of the potential breach to the consumer reporter;

`(B) to conduct a coordinated investigation with the consumer reporter to identify the sensitive financial personal information involved and determine if the potential breach is reasonably likely to result in harm or inconvenience to any consumer to whom the information relates; and

`(C) provide any notices required under this section, except to the extent that such notices are provided by the consumer reporter in a manner meeting the requirements of this section.

`(f) Consumer Notice-

`(1) POTENTIAL IDENTITY THEFT RISK AND FRAUDULENT TRANSACTION RISK- A consumer reporter shall provide a consumer notice if, at any point the consumer reporter becomes aware--

`(A) that a breach of data security is reasonably likely to have occurred or be unavoidable, with respect to sensitive financial personal information handled by the consumer reporter;

`(B) of information reasonably identifying the nature and scope of the breach; and

`(C) that such information is reasonably likely to have been or to be misused in a manner causing harm or inconvenience against the consumers to whom such information relates to--

`(i) commit identity theft if the information is sensitive financial identity information, or

`(ii) make fraudulent transactions on such consumers' financial accounts if the information is sensitive financial account information.

`(2) SECURITY PROGRAM SAFEGUARDS AND REGULATIONS-

`(A) STANDARDS FOR SAFEGUARDS- The regulators described in subsection (k)(1) shall issue guidelines relating to the types of sophisticated neural networks and security programs that are likely to detect fraudulent account activity and at what point detection of such activity is sufficient to avoid consumer notice under this subsection.

`(B) ALTERNATIVE SAFEGUARDS- In determining the likelihood of misuse of sensitive financial account information and whether a notice is required under paragraph (1), the consumer reporter may additionally consider--

`(i) consistent with any standards promulgated under subparagraph (A), whether any neural networks or security programs used by, or on behalf of, the consumer reporter have detected, or are likely to detect on an ongoing basis over a reasonable period of time, fraudulent transactions resulting from the breach of data security; or

`(ii) whether no harm or inconvenience is reasonably likely to have occurred, because for example the related consumer account has been closed or its number has been changed.

`(3) COORDINATION WITH THE FAIR DEBT COLLECTION PRACTICES ACT- The provision of a notice to the extent such notice and its contents are required under this section shall not be considered a communication under the Fair Debt Collection Practices Act.

`(4) COORDINATION OF CONSUMER NOTICE DATABASE-

`(A) IN GENERAL- The Commission shall coordinate with the other government entities identified in this section to create a publicly available list of data security breaches that have triggered a notice to consumers under this subsection within the last 12 months.

`(B) LISTED INFORMATION- The publicly available list described in subparagraph (A) shall include the following:

`(i) The identity of the party responsible that suffered the breach.

`(ii) A general description of the nature and scope of the breach.

`(iii) Any financial fraud mitigation or other services provided by such party to the affected consumers, including the telephone number and other appropriate contact information for accessing such services.

`(g) Timing, Content, and Manner of Notices-

`(1) DELAY OF NOTICE FOR LAW ENFORCEMENT PURPOSES- If a consumer reporter receives a written request from an appropriate law enforcement agency indicating that the provision of a notice under subsection (c)(3) or (f) would impede a criminal or civil investigation by that law enforcement agency, or an oral request from an appropriate law enforcement agency indicating that such a written request will be provided within 2 business days--

`(A) the consumer reporter shall delay, or in the case of a foreign law enforcement agency may delay, providing such notice until--

`(i) the law enforcement agency informs the consumer reporter that such notice will no longer impede the investigation; or

`(ii) the law enforcement agency fails to--

`(I) provide within 10 days a written request to continue such delay for a specific time that is approved by a court of competent jurisdiction; or

`(II) in the case of an oral request for a delay, provide a written request within 2 business days, and if such delay is requested for more than 10 additional days, such request must be approved by a court of competent jurisdiction; and

`(B) the consumer reporter may--

`(i) conduct appropriate security measures that are not inconsistent with such request; and

`(ii) contact such law enforcement agency to determine whether any such inconsistency would be created by such measures.

`(2) HOLD HARMLESS PROVISION- A consumer reporter shall not be liable for any fraud mitigation costs or for any losses that would not have occurred but for notice to or the provision of sensitive financial personal information to law enforcement, or the delay provided for under this subsection, except that--

`(A) nothing in this subparagraph shall be construed as creating any inference with respect to the establishment or existence of any such liability; and

`(B) this subparagraph shall not apply if the costs or losses would not have occurred had the consumer reporter undertaken reasonable system restoration requirements to the extent required under subsection (d), or other similar provision of law, except to the extent that such system restoration was delayed at the request of law enforcement.

`(3) CONTENT OF CONSUMER NOTICE- Any notice required to be provided by a consumer reporter to a consumer under subsection (f)(1), and any notice required in accordance with subsection (e)(2)(A), shall be provided in a standardized transmission or exclusively colored envelope, and shall include the following in a clear and conspicuous manner:

`(A) An appropriate heading or notice title.

`(B) A description of the nature and types of information and accounts as appropriate that were, or are reasonably believed to have been, subject to the breach of data security.

`(C) A statement identifying the party responsible, if known, that suffered the breach, including an explanation of the relationship of such party to the consumer.

`(D) If known, the date, or the best reasonable approximation of the period of time, on or within which sensitive financial personal information related to the consumer was, or is reasonably believed to have been, subject to a breach.

`(E) A general description of the actions taken by the consumer reporter to restore the security and confidentiality of the breached information.

`(F) A telephone number by which a consumer to whom the breached information relates may call free of charge to obtain additional information about how to respond to the breach.

`(G) With respect to notices involving sensitive financial identity information, a copy of the summary of rights of consumer victims of fraud or identity theft prepared by the Commission under section 609(d), as well as any additional appropriate information on how the consumer may--

`(i) obtain a copy of a consumer report free of charge in accordance with section 612;

`(ii) place a fraud alert in any file relating to the consumer at a consumer reporting agency under section 605A to discourage unauthorized use; and

`(iii) contact the Commission for more detailed information.

`(H) With respect to notices involving sensitive financial identity information, a prominent statement in accordance with subsection (h) that file monitoring will be made available to the consumer free of charge for a period of not less than six months, together with a telephone number for requesting such services, and may also include such additional contact information as a mailing address, e-mail, or Internet website address.

`(I) The approximate date the notice is being issued.

`(4) OTHER TRANSMISSION OF NOTICE- The notice described in paragraph (3) may be made by other means of transmission (such as electronic or oral) to a consumer only if--

`(A) the consumer has affirmatively consented to such use, has not withdrawn such consent, and with respect to electronic transmissions is provided with the appropriate statements related to such consent as described in section 101(c)(1) of the Electronic Signatures in Global and National Commerce Act; and

`(B) all of the relevant information in paragraph (3) is communicated to such consumer in such transmission.

`(5) DUPLICATIVE NOTICES-

`(A) IN GENERAL- A consumer reporter, whether acting directly or in coordination with another entity--

`(i) shall not be required to provide more than 1 notice with respect to any breach of data security to any affected consumer, so long as such notice meets all the applicable requirements of this section, and

`(ii) shall not be required to provide a notice with respect to any consumer if a notice meeting the applicable requirements of this section has already been provided to such consumer by another entity.

`(B) UPDATING NOTICES- If a consumer notice is provided to consumers pursuant only to subsection (f)(1)(C)(ii) (relating to sensitive financial account information), and the consumer reporter subsequently becomes aware of a reasonable likelihood that sensitive financial personal information involved in the breach is being misused in a manner causing harm or inconvenience against such consumer to commit identity theft, an additional notice shall be provided to such consumers as well any other appropriate parties under this section, including a copy of the Commission's summary of rights and file monitoring mitigation instructions under subparagraphs (G) and (H) of paragraph (3).

`(6) RESPONSIBILITY AND COSTS-

`(A) IN GENERAL- Except as otherwise established by written agreement between the consumer reporter and its agents or third party servicers, the entity that suffered a breach of data security shall be--

`(i) primarily responsible for providing any consumer notices and file monitoring required under this section with respect to such breach; and

`(ii) responsible for the reasonable actual costs of any notices provided under this section.

`(B) IDENTIFICATION TO CONSUMERS- No such agreement shall restrict the ability of a consumer reporter to identify the entity responsible for the breach to consumers

`(C) NO CHARGE TO CONSUMERS- The cost for the notices and file monitoring described in subparagraph (A) may not be charged to the related consumers.

`(h) Financial Fraud Mitigation-

`(1) FREE FILE MONITORING- Any consumer reporter that is required to provide notice to a consumer under subsection (f)(1)(C)(i), or that is deemed to be in compliance with such requirement by operation of subsection (j), if requested by the consumer before the end of the 90-day period beginning on the date of such notice, shall make available to the consumer, free of charge and for at least a 6-month period--

`(A) a service that monitors nationwide credit activity regarding a consumer from a consumer reporting agency described in section 603(p); or

`(B) a service that provides identity-monitoring to consumers on a nationwide basis that meets the guidelines described in paragraph (2).

`(2) IDENTITY MONITORING NETWORKS- The regulators described in subsection (k)(1) shall issue guidelines on the type of identity monitoring networks that are likely to detect fraudulent identity activity regarding a consumer on a nationwide basis and would satisfy the requirements of paragraph (1).

`(3) JOINT RULEMAKING FOR SAFE HARBOR- In accordance with subsection (j), the Secretary of the Treasury, the Board of Governors of the Federal Reserve System, and the Commission shall jointly develop standards and guidelines, which shall be issued by all functional regulatory agencies, that, in any case in which--

`(A) free file monitoring is offered under paragraph (1) to a consumer;

`(B) subsequent to the offer, another party misuses sensitive financial identity information on the consumer obtained through the breach of data security (that gave rise to such offer) to commit identity theft against the consumer; and

`(C) at the time of such breach the consumer reporter met the requirements of subsections (a) and (d),

exempts the consumer reporter from any liability for any harm to the consumer resulting from such misuse, other than any direct pecuniary loss or loss pursuant to agreement by the consumer reporter, except that nothing in this paragraph shall be construed as creating any inference with respect to the establishment or existence of any such liability.

`(i) Credit Security Freeze-

`(1) DEFINITIONS- For purposes of this subsection, the following definitions shall apply:

`(A) SECURITY FREEZE- The term `security freeze' means a notice placed in a credit report on a consumer, at the request of the consumer who is a victim of identity theft, that prohibits the consumer reporting agency from releasing all or any part of the credit report, without the express authorization of the consumer, except as otherwise provided in this section.

`(B) REVIEWING THE ACCOUNT; ACCOUNT REVIEW- The terms `reviewing the account' and `account review' include activities related to account maintenance, monitoring, credit line increases, and account upgrades and enhancements.

`(2) REQUEST FOR A SECURITY FREEZE-

`(A) IN GENERAL- A consumer who has been the victim of identity theft may place a security freeze on the file of such consumer at any consumer reporting agency by--

`(i) making a request in writing by certified mail to the consumer reporting agency;

`(ii) submitting an identity theft report to the consumer reporting agency; and

`(iii) providing such evidence of the identity of the consumer as such consumer reporting agency may require under paragraph (5).

`(B) PROMPT IMPOSITION OF FREEZE- A consumer reporting agency shall place a security freeze on a credit report on a consumer no later than 5 business days after receiving a written request from the consumer in accordance with subparagraph (A).

`(C) EFFECT OF FREEZE-

`(i) IN GENERAL- Except as otherwise provided in this subsection, if a security freeze is in place with respect to any consumer, information from the consumer's credit report may not be released by the consumer reporting agency or reseller to any third party, including another consumer reporting agency or reseller, without the prior express authorization from the consumer or as otherwise permitted in this section.

`(ii) ADVISING OF EXISTENCE OF SECURITY FREEZE- Clause (i) shall not be construed as preventing a consumer reporting agency or reseller from advising a third party that a security freeze is in effect with respect to the credit report on the consumer.

`(D) CONFIRMATION OF FREEZE; ACCESS CODE- Any consumer reporting agency that receives a consumer request for a security freeze in accordance with subparagraph (A) shall--

`(i) send a written confirmation of the security freeze to the consumer within 10 business days of placing the freeze; and

`(ii) at the same time, provide the consumer with a unique personal identification number or password (other than the Social Security account number of any consumer) to be used by the consumer when providing authorization for the release of the credit report of the consumer to a specific party or for a specific period of time.

`(3) ACCESS PURSUANT TO CONSUMER AUTHORIZATION DURING SECURITY FREEZE-

`(A) NOTICE BY CONSUMER- If the consumer wishes to allow the credit report on the consumer to be accessed by a specific party or for a specific period of time while a freeze is in place, the consumer shall--

`(i) contact the consumer reporting agency in any manner the agency may provide;

`(ii) request that the security freeze be temporarily lifted; and

`(iii) provide--

`(I) proper identification;

`(II) the unique personal identification number or password provided by the consumer reporting agency pursuant to paragraph (2)(D)(ii); and

`(III) the proper information regarding the third party who is to receive the credit report or the time period for which the report shall be available to users of the credit report.

`(B) TIMELY RESPONSE REQUIRED- A consumer reporting agency that receives a request from a consumer to temporarily lift a security freeze on a credit report in accordance with subparagraph (A) shall comply with the request no later than 3 business days after receiving the request.

`(C) PROCEDURES FOR REQUESTS- A consumer reporting agency may develop procedures involving the use of telephone, fax, or, upon the consent of the consumer in the manner required by the Electronic Signatures in Global and National Commerce Act for notices legally required to be in writing, by the Internet, e-mail, or other electronic medium to receive and process a request from a consumer to temporarily lift a security freeze on a credit report pursuant to subparagraph (A) in an expedited manner.

`(4) LIFTING OR REMOVING SECURITY FREEZE-

`(A) IN GENERAL- A consumer reporting agency may remove or temporarily lift a security freeze placed on a credit report on a consumer only in the following cases:

`(i) Upon receiving a consumer request for a temporary lift of the security freeze in accordance with paragraph (3)(A).

`(ii) Upon receiving a consumer request for the removal of the security freeze in accordance with subparagraph (C).

`(iii) Upon a determination by the consumer reporting agency that the security freeze was imposed on the credit report due to a material misrepresentation of fact by the consumer.

`(B) NOTICE TO CONSUMER OF DETERMINATION- If a consumer reporting agency makes a determination described in subparagraph (A)(iii) with a respect to a security freeze imposed on the credit report on any consumer, the consumer reporting agency shall notify the consumer of such determination in writing prior to removing the security freeze on such credit report.

`(C) REMOVING SECURITY FREEZE-

`(i) IN GENERAL- Except as provided in this subsection, a security freeze shall remain in place until the consumer requests that the security freeze be removed.

`(ii) PROCEDURE FOR REMOVING SECURITY FREEZE- A consumer reporting agency shall remove a security freeze within 3 business days of receiving a request for removal from the consumer who provides--

`(I) proper identification; and

`(II) the unique personal identification number or password provided by the consumer reporting agency pursuant to paragraph (2)(D)(ii).

`(5) PROPER IDENTIFICATION REQUIRED- A consumer reporting agency shall require proper identification of any person who makes a request to impose, temporarily lift, or permanently remove a security freeze on the credit report of any consumer under this section.

`(6) THIRD PARTY REQUESTS- If--

`(A) a third party requests access to a consumer's credit report on which a security freeze is in effect under this section in connection with an application by the consumer for credit or any other use; and

`(B) the consumer does not allow the consumer's credit report to be accessed by that specific party or during the specific period such application is pending,

the third party may treat the application as incomplete.

`(7) CERTAIN ENTITY EXEMPTIONS-

`(A) AGGREGATORS AND OTHER AGENCIES- This subsection shall not apply to a consumer reporting agency that acts only as a reseller of credit information by assembling and merging information contained in the database of another consumer reporting agency or multiple consumer reporting agencies, and does not maintain a permanent database of credit information from which new credit reports are produced.

`(B) OTHER EXEMPTED ENTITIES- The following entities shall not be required to place a security freeze in a credit report:

`(i) An entity which provides check verification or fraud prevention services, including but not limited to, reports on incidents of fraud, verification or authentication of a consumer's identification, or authorizations for the purpose of approving or processing negotiable instruments, electronic funds transfers, or similar methods of payments.

`(ii) A deposit account information service company, which issues reports regarding account closures due to fraud, substantial overdrafts, automated teller machine abuse, or similar negative information regarding a consumer, to inquiring banks or other financial institutions for use only in reviewing a consumer request for a deposit account at the inquiring bank or other financial institution.

`(8) EXCEPTIONS- This subsection shall not apply with respect to the use of a consumer credit report by any of the following for the purpose described:

`(A) A person, or any affiliate, agent, or assignee of any person, with whom the consumer has or, prior to an assignment, had an account, contract, or debtor-creditor relationship for the purposes of reviewing the account or collecting the financial obligation owing for the account, contract, or debt.

`(B) An affiliate, agent, assignee, or prospective assignee of a person to whom access has been granted under paragraph (3) for purposes of facilitating the extension of credit or other permissible use of the report in accordance with the consumer's request under such paragraph.

`(C) Any State or local agency, law enforcement agency, trial court, or person acting pursuant to a court order, warrant, or subpoena.

`(D) A Federal, State, or local agency that administers a program for establishing an enforcing child support obligations for the purpose of administering such program.

`(E) A Federal, State, or local health agency, or any agent or assignee of such agency, acting to investigate fraud within the jurisdiction of such agency.

`(F) A Federal, State, or local tax agency, or any agent or assignee of such agency, acting to investigate or collect delinquent taxes or unpaid court orders or to fulfill any of other statutory responsibility of such agency.

`(G) Any person that intends to use the information in accordance with section 604(c).

`(H) Any person administering a credit file monitoring subscription or similar service to which the consumer has subscribed.

`(I) Any person for the purpose of providing a consumer with a copy of the credit report or credit score of the consumer upon the consumer's request.

`(9) PROHIBITION ON FEE- A consumer reporting agency may not impose a fee for placing, removing, or removing for a specific party or parties a security freeze on a credit report.

`(10) NOTICE OF RIGHTS- At any time that a consumer is required to receive a summary of rights required under section 609(c)(1) or 609(d)(1) the following notice shall be included:

`Consumers Who Are Victims of Identity Theft Have the Right to Obtain a Security Freeze on Your Consumer Report

`You may obtain a security freeze on your consumer credit report at no charge if you are a victim of identity theft and you submit a copy of an identity theft report you have filed with a law enforcement agency about unlawful use of your personal information by another person.

`The security freeze will prohibit a credit reporting agency from releasing any information in your consumer credit report without your express authorization.