Spring Has Arrived, But the National Credit Security Freeze Is Here To Stay

By Eva Lorenz and Suzanne Begnoche

During 2018, the North Carolina Department of Justice received notices from businesses of a total of 1,057 data breaches, affecting 1.9 million North Carolinians.[1] Businesses subject to N.C. Gen. Stat. § 75-65 must provide breach notices to all affected persons.[2] Although not legally obligated to do so under North Carolina law, many affected businesses also offer victims a period of free credit monitoring. Credit monitoring does alert a subscriber to credit file changes. Anyone who wants to do more than sit and wait for identity theft to happen, however, must lock down access to their credit reports by initiating statutory security freezes.

For many years, the Identity Theft Protection Act gave North Carolina consumers the right to request these security freezes from nationwide consumer reporting agencies (“CRAs”).[3] Then, the 2017 Equifax data breach, which affected at least 143 million people, sparked Congress to enact a new “national security freeze.”[4] As of September 21, 2018, the Fair Credit Reporting Act (“FCRA”)’s national security freeze provisions[5] preempt North Carolina’s security freeze law.[6]

Just as North Carolina’s law did, the FCRA now requires that all nationwide CRAs provide free security freezes for consumers.[7] The process of freezing a credit file is easy, and can be done online, by phone, or by mail. Each CRA must give the consumer a means to lift the freeze, including an authentication mechanism (typically, a random PIN number).[8] Lifting or “unfreezing” is necessary when applying for new credit, because a credit check requires that the credit file to be available to third parties.

Like its North Carolina precursor, the new national security freeze is also available to “protected consumers.”[9]  “Protected consumers” under the FCRA include minors, as well as incapacitated persons and those for whom a guardian or conservator has been appointed.[10] Children are prime targets for identity theft, because many will not realize that their credit has been compromised until they become adults and try to use credit for the first time. This means that a child’s credit may be used by identity thieves for extended periods of time.It also explains why SSNs of children reach premium prices on the darknet.[11]  Similarly, senior citizens have long been recognized as ideal targets for identity theft.[12]

In compliance with the new law[13], each of the “Big Three” CRAs (Experian, Equifax, and TransUnion) has established webpages that allows consumers to request security freezes. The FTC is obligated[14] to maintain a webpage with links to each CRA, allowing consumers to access all three CRAs from a central online location.[15] Consumers can also launch the security freeze process through the North Carolina attorney general’s security freeze website at https://ncdoj.gov/securityfreeze. This website walks the user through the process of freezing and “thawing” (i.e., unfreezing) the report, and it provides links to CRA webpages that are more specific to security freezes.

Should a consumer still review their credit reports if they have security freezes in place?  The short answer is yes. While a freeze reduces the risk of identity theft, it’s not a guarantee, so consumers should review their reports at least annually. Each consumer is entitled to one free credit report per year.[16]

Keep in mind, many other CRAs beyond the “Big Three” are subject to the national security freeze provisions.[17]  These include public record vendors like LexisNexis, tenant screening services like Corelogic, account verification services like Chex Systems, and industry niche CRAs like Sagestream. Consumers can request freezes and free annual reports from these other types of CRAs.  An extensive directory of nationwide CRAs is available on the CFPB website.[18]

[1] Attorney General Josh Stein, North Carolina Department of Justice, “North Carolina Data Breach Report 2018” (2019), https://ncdoj.gov/Files/News/2018-Data-Breach-Report.aspx.  Accessed April 4, 2019.

[2] N.C.G.S. § 75-65(a)-(b).

[3] N.C.G.S. § 75-63 and 75-63.1.

[4] 164 Cong. Rec. S1572  (daily ed. March 8, 2018) (statement of Sen. Crapo).

[5] 15 U.S.C. § 1681c-1(i)-(j).

[6] 15 U.S.C. § 1681t(b)(1)(J).

[7] 15 U.S.C. § 1681c-1(i)(2)(A) (when request received from consumer) and 15 U.S.C. § 1681c-1(j)(2)(A) (when request received from a person who provides sufficient proof of authority to act on behalf of a “protected consumer”).

[8] 15 U.S.C. § 1681c-1(i)(2)(B)(ii)(I) (for a consumer) and 15 U.S.C. § 1681c-1(j)(2)(B)(ii) (for lifting the freeze from a protected consumer’s file).

[9] 15 U.S.C. § 1681c-1(j).

[10] 15 U.S.C. § 1681c-1(j)(1)(B).

[11] E.g., Selena Larsen, “Infant Social Security Numbers are For Sale on the Dark Web,” CNN (January 22, 2018), https://money.cnn.com/2018/01/22/technology/infant-data-dark-web-identity-theft/index.html.  Accessed April 5, 2019.

[12] E.g., Office of the Inspector General, Social Security Administration, “Identity Theft and America’s Senior Citizens” (July 18, 2002), https://oig.ssa.gov/newsroom/congressional-testimony/identity-theft-and-americas-senior-citizens.  Accessed April 5, 2019.

[13] 15 U.S.C. § 1681c-1(i)(6)(A).

[15] 15 U.S.C. § 1681c-1(i)(6)(B).

[16] 15 U.S.C. § 1681j(a).

[17] 15 U.S.C. § 1681a(p) (definition of the term “consumer reporting agency that compiles and maintains files on consumers on a nationwide basis”).

[18] Consumer Financial Protection Bureau, “List of Consumer Reporting Companies” (January 2019), https://files.consumerfinance.gov/f/documents/cfpb_consumer-reporting-companies-list.pdf.  Accessed on April 4, 2019.