With this year’s high profile breach at a large consumer reporting agency and credit cards ringing up balances during this holiday season, I have been fielding numerous calls from people in both a professional and personal capacity on what they should be doing to “truly” protect their identity and their credit accounts. I often find myself reiterating some of the basics of the laws in place to protect you and to empower you to safeguard your credit information. So, I thought a quick post sharing that information might be timely, helpful and possibly buy you some peace of mind.
- No one will care more about your privacy and security than you. Let me begin by reiterating a common mantra of mine: No one will care more about your privacy and security than you. While the law can provide a remedy and some protections, it will never move faster than you, nor will it know as much about your individual situation as you do. In truth, the law is your last remedy when dealing with information security-related issues. That said, there are protections and tools available to you at the federal and state level of which you might be able to avail yourself.
- Federal and state law. At the federal level, the privacy and security of your information stored by consumer reporting agencies (“CRAs”) is regulated under the Fair Credit Reporting Act (“FCRA”). The FCRA regulates the use of consumer report information, or any information that might be used to determine your eligibility for something, such as a loan, apartment rental, job, license, etc. As this information includes sensitive details such as your social security number, date of birth, as well as details of your financial and professional history, the FCRA assigns many duties and obligations to CRAs and users of consumer reports. On top of that, many states have their own version of a fair credit reporting act that mirrors the federal law. In some cases, the state act provides more restrictions and protection on the use of personal information than the federal version.
As for protections available under these laws, there are two of which you should be aware. There is no way to completely prevent your identity from being stolen or your personal information from being used inappropriately. However, there are two solid steps you can take.
a. Fraud alerts. If you are, or suspect you may be, a victim of fraud or identity theft, you have the ability to place a fraud alert on your credit report to alert potential creditors or lenders under the FCRA. When alerted by you, CRAs can take steps to protect your information, including providing you notice of any attempts to open credit in your name. There are two main types of fraud alerts that you can place: initial and extended. There is also an active duty fraud alert for military service members. Placing a fraud alert is quite easy. Simply, contact the fraud department of one of the three major CRAs (Experian, Equifax or TransUnion). Under the FCRA, the CRA you notify has a duty to share notice of the filing of the fraud alert with the other two agencies. (When in doubt, or when you have a concern with identity theft, go ahead and notify each CRA yourself as speed counts in such matters).
An initial fraud alert stays on file for ninety (90) days while an extended alert lasts up to seven (7) years. You may request to have the alert removed before the end of any such time period. An active duty alert lasts for one year, however the alert can be renewed to match the period of deployment. The Federal Trade Commission (“FTC”) provides a great deal of information on your rights under the FCRA and ways to take advantage of its protections.
b. Security freezes. In addition to fraud alerts available under the FCRA, all U.S. states also have laws that allow residents to lock down or “freeze” their CRA accounts as a means to protect that information from unauthorized access. Generally, under such laws, the CRAs cannot grant access to your consumer file until you have explicitly approved it. Unlike the fraud alerts, you’ll need to get in contact with each one of the CRAs for the freeze to go into effect. To initiate a freeze, you’ll need to supply the CRA with personal information to verify your identity. Sometimes you can do this online, and sometimes you need to submit paperwork and/or talk to the CRAs on the phone.
Depending on where you live, there might be a fee associated with the freeze. For example, here in Ohio you will pay $5.00 to freeze each CRA account, so a total $15.00 for freezing your Experian, TransUnion and Equifax accounts. Once the freeze is applied, no one can access your credit file until you “unfreeze” your account. And yes, you will pay that fee again when you unfreeze to authorize a pull on your credit report (in Ohio, at least). Each agency with then send you a PIN, which you will need when you decide to lift the freeze. The freeze is then in place until you request the CRA to lift it.
3. What to do? As with all things, the right solution depends on you and your lifestyle. That said, and with the disclaimer that this is not legal advice, I would recommend you freeze your accounts as allowed under state law. Think about it. How often do you really need someone to access your credit report? How often do you get a new credit card, apply for a mortgage, or otherwise need someone to use your SSN to find out something about you? It really is not that often, or at least rare enough that you can take 5 minutes to approve the access. When you look at the greater risk, what is 5 minutes?
“But it is so inconvenient, Scot. And it’s expensive.” I hear this a lot, and I understand. Security is rarely convenient. And yes, it can cost you a few bucks depending on the state in which you live. But, when you think of the fact that over half the U.S. population has had its SSN disclosed in this year’s CRA breach, not to mention how many other breaches in which your information might have been involved, what other option is going to provide you the broadest overarching protection? For the money and universal application, I think the security freeze provides a lot of value. When it comes to data breach, it is not IF, but WHEN. Prepare yourself. Embrace the freeze. Winter is coming.
A special thanks to Landon Holp, one of our exceptional interns here at Taft for assisting me with writing this blog.