Client Alert

State Statutes Permitting Security Freeze On A Credit Report File

10/1/2007

In order to help prevent the unauthorized use of information from a consumer report file to fraudulently open a new account, over thirty-five states, as well as the District of Columbia, have enacted laws allowing an individual to place a “security freeze” on his or her credit report file.[1]  In general, a “security freeze” prohibits a consumer reporting agency (“CRA”) from releasing information from a credit report file on the consumer without the express authorization of the consumer.  Although the state security freeze laws are similar in many respects, some aspects of these laws are significantly different, including with respect to:  who may request a security freeze; the method of requesting a security freeze; and the time permitted to a CRA to respond to a request to place a security freeze.  CRAs operating in the various states, must comply with the security freeze requirements imposed by the laws of each of those states and users of credit report information must be aware of the various restrictions placed on the sharing of information contained in credit report files.  This article provides a brief overview of the security freeze laws enacted by the various states.

Who Must Comply

State security freeze laws typically define a CRA as any person who, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the business of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing credit reports to third parties.[2]  Some state laws, such as the laws of Kansas, New Jersey, and New York, include within the definition of a “CRA” entities that provide investigative consumer reports.  However, other types of CRAs are often exempt under the security freeze laws.  For example, the state security freeze laws generally do not apply to a check service or a fraud prevention service; a deposit account information service that issues reports about account closures due to fraud, substantial overdrafts, ATM abuse, or similar negative information; as well as a CRA that acts only as a reseller of credit information and that does not maintain a permanent database of credit information from which new credit reports are produced.[3]

What Information Is Covered

State security freeze laws typically define a “credit report” as including any written, oral, or other communication of any information by a CRA bearing on a consumer’s credit worthiness, credit standing, or credit capacity, character, reputation, personal characteristics, mode of living, and the like, which is used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer’s eligibility for credit for personal, household or family purposes, or employment purposes or other specific purposes.[4]  Certain information, however, is generally excepted from the definition of “credit report”.  For example, under the California security freeze law a credit report does not include:  (1) information solely as to transactions or experiences between the consumer and the person making the report; (2) any internal communication within the entity making the report (or with an affiliate of the entity) of that information or information from a credit application by a consumer, so long as the consumer is provided with a clear and conspicuous written notice (and is initially notified orally, if the application is being taken over the telephone) that information contained in the credit application may be provided to affiliates; (3) any authorization or approval of a specific extension of credit directly or indirectly by the issuer of a credit card or similar device; (4) any report by an entity providing information to a consumer with respect to a credit decision in response to a request by a third party, if the third party provides the consumer with the name and address of the entity and that entity makes the required disclosures; (5) any report containing information solely on a consumer’s character, general reputation, personal characteristics, or mode of living which is obtained through personal interviews with neighbors, friends, or associates of the consumer reported on, or others with whom he is acquainted or who may have knowledge concerning those items of information; (6) any communication about a consumer in connection with a credit transaction which is not initiated by the consumer, between affiliated entities if either of those entities has complied with California law with respect to a prequalifying report from which the information communicated is taken and provided that the consumer has consented in writing; or (7) any consumer credit report furnished for use in connection with a transaction which consists of an extension of credit to be used solely for a commercial purpose.[5] 

Requesting a Security Freeze

Any consumer residing in the state is permitted to request a security freeze to be placed on his or her credit report file under most state security freeze laws, including the laws of Arkansas,[6] California,[7] Colorado,[8] Connecticut,[9] Delaware,[10] District of Columbia,[11] Florida,[12] Indiana,[13] Kentucky,[14] Louisiana,[15] Maine,[16] Maryland,[17] Massachusetts,[18] Minnesota,[19] Montana,[20] Nebraska,[21] Nevada,[22] New Hampshire,[23] New Jersey,[24] New Mexico,[25] New York,[26] North Carolina,[27] North Dakota,[28] Oklahoma,[29] Oregon,[30] Pennsylvania,[31] Rhode Island,[32] Tennessee,[33] Utah,[34] West Virginia,[35] Wisconsin,[36] and Wyoming.[37]  As initially enacted, the security freeze laws of Hawaii,[38] Illinois,[39] Texas,[40] Vermont,[41] and Washington[42]only permitted victims of identity theft to place a security freeze on their credit report files; however, these laws were subsequently amended to permit any consumer to do so.  However, only a victim of identity theft is permitted to place a security freeze on his or her credit report file under the security freeze laws of Kansas,[43] Mississippi,[44] and South Dakota.[45] 

State laws vary with respect to the method by which a consumer may request a security freeze.  The laws of Arkansas,[46] California,[47] Colorado,[48] Connecticut,[49] District of Columbia,[50] Florida,[51] Hawaii,[52] Illinois,[53] Kansas,[54] Kentucky,[55] Louisiana,[56] Maine,[57] Mississippi,[58] Nebraska,[59] Nevada,[60] New Hampshire,[61] North Carolina,[62] Oklahoma,[63] Rhode Island,[64] South Dakota,[65] Tennessee,[66] Texas,[67] Utah,[68] Vermont,[69] Washington,[70] Wisconsin,[71] and Wyoming[72] require that the individual requesting the freeze do so through a written request by certified mail.  Other state security freeze laws permit the individual to request the security freeze by other methods, such as regular mail,[73] e-mail,[74] telephone,[75] or other secured method authorized by the CRA.  In addition, some state laws, such as the laws of Tennessee, Montana, and West Virginia, require that individuals be provided with an electronic method of requesting security freezes by January 31, 2009.[76]  In addition, state security freeze laws generally identify the information that an individual must provide in order to place a security freeze.  For example, most state laws require an individual to provide proper identification when requesting a security freeze, and victims of identity theft might also be required to provide a valid copy of a police report, investigative report, or complaint filed with a law enforcement agency. 

Duties of a CRA

Several state security freeze laws require CRAs to notify individuals of their right to request a security freeze.[77]  In addition, state security freeze laws generally identify the duties of CRAs when an individual requests a security freeze.  For example, the California security freeze statute requires a CRA to place a “security freeze” on a consumer’s credit report file no later than five business days after receiving a written request from the consumer;[78] to send a written confirmation to the consumer within ten business days and to provide the consumer with a “unique personal identification number [PIN]or password to be used by the consumer when providing authorization for the release of his or her credit [report] for a specific part or period of time;”[79] and, once the security freeze has been established, bars the CRA from releasing the consumer’s credit report to a third party “without the express authorization of the consumer.”[80]  Some other states require the CRA to place the security freeze within three business days of receiving a request. 

Access to a “Frozen” Credit Report File

Most state security freeze laws allow an individual to request a temporary lift of a security freeze for a specific period of time, or for a specific purpose, or both.  In general, in order to temporarily lift a security freeze, an individual must contact the CRA by the method provided by the state law, provide “proper identification” and the unique PIN or password previously provided by the CRA, and provide proper information regarding the specific period of time or the recipient to which the particular request relates.  Many state security freeze laws also specify the duties of a CRA once an individual requests that a security freeze be temporarily lifted or removed from his or her credit report file.  For example, the California security freeze statute directs a CRA to “temporarily lift a freeze” on receipt of a request from the consumer, and the CRA must comply with the request within three business days.  Some state laws require or permit CRAs to develop procedures involving the use of telephone, fax, Internet, or other electronic media to receive and process a request from an individual to temporarily lift a freeze in an expedited manner.  Moreover, some state security freeze laws, such as those of Delaware,[81] District of Columbia,[82] Indiana,[83] Maryland,[84] Montana,[85] Nebraska,[86] New Mexico,[87] Tennessee,[88] Utah,[89] Washington,[90] West Virginia,[91] and Wyoming[92] require a CRA to develop procedures to honor an Internet-based or telephonic request to temporarily lift a security freeze within fifteen minutes of receiving the request. 

In addition to provisions permitting access to“frozen” credit report file information in response to a request from a consumer, state security freeze laws generally include other exceptions that permit access to “frozen” credit report file information, including for prescreening, account review, or collection purposes; by a subsidiary or affiliate of a person to whom the consumer has granted access for the purpose of facilitating an extension of credit or another permissible use; or by government entities, including law enforcement agencies and courts.[93]

Security Alerts

In addition to security freeze laws, a few states, including California,[94] Louisiana,[95] North Dakota,[96] and Texas,[97] have enacted laws allowing consumers to place a “security alert” or “fraud alert” on their credit report files by making a written request by certified mail to a CRA.  Unlike a security freeze, a “security alert” should not prevent a person from obtaining a consumer’s credit report file from a CRA.  However, if a user obtains a credit report file containing a security alert, the user generally must take reasonable steps to verify the consumer’s identity in order to ensure that the application is not the result of identity theft. 

For example, under the California security alert statute, CRAs are required to place a security alert on a consumer’s credit report file within five business days after receiving a request, in writing or by telephone, from the consumer.[98]  The security alert remains on the consumer’s credit report file for at least ninety days, subject to renewal by the consumer,[99] and the CRA is required to notify the consumer who has requested the security alert about the expiration date of the alert.[100]

The California security alert statute also provides that a user who receives a security alert on a consumer’s credit report file “may not lend money, extend credit, or complete the purchase, lease, or rental of goods or non-credit-related services without taking reasonable steps to verify the consumer’s identity, in order to ensure that the application for an extension of credit or for the purchase, lease, or rental of goods or non-credit related services is not the result of identity theft.”[101] In addition, the California law requires the user to “take reasonable steps to verify the identity of the consumer by contacting the consumer” using the telephone number specified by the consumer, if the consumer has placed a statement with the security alert requesting verification by calling that telephone number.[102]  Under the California security alert statute, an “‘extension of credit’ does not include an increase in the dollar limit of an existing open-end credit plan, as defined in Regulation Z issued by the Board of Governors of the Federal Reserve System (12 C.F.R. 226.2), or any change to, or review of, an existing credit account.”[103]

 


[1] States that have enacted legislation regulating the use of SSNs include Arizona, Arkansas, California, Colorado, Connecticut, Georgia, Hawaii, Illinois, Kansas, Maine, Maryland, Massachusetts, Michigan, Minnesota, Missouri, Nebraska, New Jersey, New Mexico, New York, North Carolina, Oklahoma, Oregon, Pennsylvania, Rhode Island, Tennessee, Texas, Utah, Vermont, and Virginia.  Although most of these state statutes generally apply to persons doing business in the state, some state law, such as the Oklahoma and Nebraska law, apply specifically in the employment context.  These state statutes have varying effective dates.

[2] Cal. Civ. Code § 1785.3(d).  See also Colo. Rev. Stat. § 12-14.3-102(4) Del. Code Ann. tit. 6, § 2202(3);
D.C. Code 28-3861(3) N.Y. Gen. Bus. Laws § 380-a(e) Tex. Bus. & Com. Code § 20.01(5);

[3] See, e.g., Cal. Civ. Code §§ 1785.11.4, 1785.11.6; N.Y. Gen. Bus. Laws § 380-t(p); SB 222, 80th Legis. (Tex. 2007).

[4] See, e.g., Cal. Civ. Code § 1785.3(c); N.Y. Gen. Bus. Laws § 380-a(c); Tex. Bus. & Com. Code § 20.01(4).

[5] Cal. Civ. Code § 1785.3(c).

[6] HB 2215, Reg. Sess. of the 86th Gen. Assem. (Ark. 2007).

[7] Cal. Civ. Code § 1785.11.2(a).

[8] Colo. Rev. Stat. § 12-14.3-106.6(1).

[9] Conn. Gen. Stat. § 36a-701a(a).

[10] Del. Code Ann. tit. 6, § 2203(b).

[11] D.C. Code § 28-3862(a).

[12] Fla. Stat. § 501.005(2).

[13] SB 403, 1st Reg. Sess. of the 115th Gen. Assem. (Ind. 2006).

[14] Ky. Rev. Stat. Ann. § 367.365(1)(a).

[15] La. Rev. Stat. Ann. § 9:3571.1(M)(1).

[16] Me. Rev. Stat. Ann. tit. 10, §§ 1313-C(1)(A)-(B).

[17] HB 117, Reg. Sess. of the 422nd Gen. Assem. (M.D. 2007).

[18] HB 4144, Reg. Sess. of the 185th Gen. Ct. (Mass. 2007).

[19] Minn. Stat. § 13C.016, Subd. 2.

[20] SB 116, Reg. Sess. of the 60th Legis. (Mont. 2007).

[21] LB 674, 1st Sess. of the 100th Legis. (Neb. 2007).

[22] Nev. Rev. Stat. § 590C.300(1).

[23] N.H. Rev. Stat. Ann. § 359-B:24(I).

[24] N.J. Stat. Ann. § 56:11-46(a).

[25] N.M. Stat. § 56-15-3.

[26] N.Y. Gen. Bus. Law § 380-t(a).

[27] N.C. Gen. Stat. § 75-63(a).

[28] N.D. Cent. Code § 51-33-03(1).

[29] Okla. Stat. tit. 24, § 151(A).

[30] SB 583, Reg. Sess. of the 74th Legis. Assem. (Or. 2007).

[31] 73 Pa. Stat. Ann. § 2503(a)(1).

[32] R.I. Gen. Laws § 6-48-5(a).

[33] HB 200, Reg. Sess. of the 105th Gen. Assem. (Tenn. 2007).

[34] Utah Code Ann. § 13-45-201(1).

[35] W. Va. Code § 46A-6L-102(a).

[36] Wis. Stat. § 100.54(2)(a).

[37] Wyo. Stat. § 40-12-503(a).

[38] Haw. Rev. Stat. § 489P-3(a), amended by HB 1612, 24th State Legis. (Haw. 2007).

[39] 815 Ill. Comp. Stat. 505/2MM, as amended by Pub. Act 94-799.

[40] Tex. Bus. & Com. Code § 20.034, as amended by SB 222, 80th Legis. (Tex. 2007).

[41] Vt. Stat. Ann. tit. 9, § 2480h(a), as amended by Act No. 211 (2005).

[42] Wash. Rev. Code § 19.182.170(1), amended by SB 5826, Reg. Sess. of the 60th Legis. (Wash. 2007).

[43] Kan. Stat. Ann. § 50-723(a).

[44] SB 3034, Reg. Sess. of the 2007 Legis. (Miss. 2007).

[45] S.D. Codified Laws § 54-15.3.

[46] HB 2215, Reg. Sess. of the 86th Gen. Assem. (Ark. 2007).

[47] Cal. Civ. Code § 1785.11.2(a).

[48] Colo. Rev. Stat. § 12-14.3-106.6(1).

[49] Conn. Gen. Stat. § 36a-701a(a).  The Connecticut law also permits the CRA to authorize other secure methods by which a consumer may submit a request to place a security freeze.  Id

[50] D.C. Code § 28-3862(a).

[51] Fla. Stat. § 501.005(2).

[52] Haw. Rev. Stat. § 489P-3(a), amended by HB 1612, 24th State Legis. (Haw. 2007).

[53] 815 Ill. Comp. Stat. 505/2MM(c).

[54] Kan. Stat. Ann. § 50-723(a).

[55] Ky. Rev. Stat. Ann. § 367.365(1)(a).

[56] La. Rev. Stat. Ann. § 9:3571.1(M)(1).

[57] Me. Rev. Stat. Ann. tit. 10, §§ 1313-C(1)(A)-(B).

[58] SB 3034, Reg. Sess. of the 2007 Legis. (Miss. 2007).

[59] LB 674, 1st Sess. of the 100th Legis. (Neb. 2007).

[60] Nev. Rev. Stat. § 590C.300(1).

[61] N.H. Rev. Stat. Ann. § 359-B:24(I).

[62] N.C. Gen. Stat. § 75-63(a).

[63] Okla. Stat. tit. 24, § 151(A).

[64] R.I. Gen. Laws § 6-48-5(a).

[65] S.D. Codified Laws § 54-15.3.

[66] HB 200, Reg. Sess. of the 105th Gen. Assem. (Tenn. 2007).  Beginning January 1, 2009, a CRA must make available an electronic method for requesting a security freeze.

[67] Tex. Bus. & Com. Code § 20.034, as amended by SB 222, 80th Legis. (Tex. 2007).

[68] Utah Code Ann. § 13-45-201(1).

[69] Vt. Stat. Ann. tit. 9, § 2480h(a).

[70] Wash. Rev. Code § 19.182.170(1).

[71] Wis. Stat. § 100.54(2)(a).  The Wisconsin law also permits an individual to request a security freeze by any other means that the CRA may provide.

[72] Wyo. Stat. § 40-12-503(a).

[73] See, e.g., Del. Code Ann. tit. 6, § 2203(b) SB 403, 1st Reg. Sess. of the 115th Gen. Assem. (Ind. 2006) HB 4144; Reg. Sess. of the 185th Gen. Ct. (Mass. 2007) N.M. Stat. § 56-15-3 N.D. Cent. Code § 51-33-02.

[74] See, e.g., Del. Code Ann. tit. 6, § 2203(b) SB 403, 1st Reg. Sess. of the 115th Gen. Assem. (Ind. 2006) Minn.
Stat. § 13C.016, Subd. 2 N.J. Stat. Ann. § 56:11-46(a) N.D. Cent. Code § 51-33-02.

[75] See, e.g., HB 117, Reg. Sess. of the 422nd Gen. Assem. (M.D. 2007) Minn. Stat. § 13C.016, Subd. 2; N.D. Cent. Code § 51-33-02.

[76] See, e.g., H.B. 200, 105th Gen. Assem. (Tenn. 2007); S.B. 116, 2007 Montana Legis. (Mont. 2007); W. Va. Code § 46A-6L-102(a).

[77] See e.g., HB 2215, Reg. Sess. of the 86th Gen. Assem. (Ark. 2007) Del. Code Ann. tit. 6, § 2203(c) D.C. Code § 28-3863 Fla. Stat. § 501.005(17) HB 117, Reg. Sess. of the 422nd Gen. Assem. (M.D. 2007) SB 116, Reg. Sess. of the 60th Legis (Mont. 2007) N.H. Rev. Stat. Ann. § 359-B:24(I) N.M. Stat. § 56-15-4 N.Y. Gen. Bus. Law § 380-t(q) N.D. Cent. Code § 51-33-12 Okla. Stat. tit. 24, § 158 R.I. Gen. Laws § 6-48-6 HB 200, Reg. Sess. of the 105th Gen. Assem. (Tenn. 2007), W. Va. Code § 46A-6L-103.

[78] Cal. Civ. Code § 1785.11.2(b).

[79] Cal. Civ. Code § 1785.11.2(c).

[80] Cal. Civ. Code § 1785.11.2(a).

[81] Del. Code Ann. tit. 6, § 2203(b)(5).

[82] D.C. Code § 28-3862(e).

[83] SB 403, 1st Reg. Sess. of the 115th Gen. Assem. (Ind. 2006).

[84] HB 117, Reg. Sess. of the 422nd Gen. Assem. (M.D. 2007).

[85] SB 116, Reg. Sess. of the 60th Legis. (Mont. 2007).

[86] LB 674, 1st Sess. of the 100th Legis. (Neb. 2007).

[87] N.M. Stat. § 56-15-3(E).

[88] HB 200, Reg. Sess. of the 105th Gen. Assem. (Tenn. 2007).

[89] Utah Code Ann. § 13-45-202.

[90] SB 5826, Reg. Sess. of the 60th Legis. (Wash. 2007).

[91] W. Va. Code § 46A-6L-102(f).

[92] Wyo. Stat. § 40-12-504(c).

[93] See,  e.g., Cal. Civ. Code § 1785.11.2(l); N.Y. Gen. Bus. Laws § 380-t(m); Tex. Bus. & Com. Code § 20.038.

[94] Cal. Civ. Code § 1785.11.1.

[95] La. Rev. Stat. Ann. § 9:3571.1(I)-(L).

[96] N.D. Cent. Code §§ 51-31-02 to 51-31-03.

[97] Tex. Bus. & Comm. Code § 20.031.

[98] Cal. Civ. Code § 1785.11.1(e).  The Texas law requires the security alert to be placed within 24 hours after the CRA receives the request, and the security alert must be in effect for not less than 45 days.  Tex. Bus. & Com. Code § 20.031.

[99] See, e.g., Cal. Civ. Code § 1785.11.1(f).

[100] See, e.g., Cal. Civ. Code § 1785.11.1(j).

[101] Cal. Civ. Code § 1785.11.1(g).

[102] Id.

[103] Id. at § 1785.11.1(h).

Close

Feedback

Disclaimer

Unsolicited e-mails and information sent to Morrison & Foerster will not be considered confidential, may be disclosed to others pursuant to our Privacy Policy, may not receive a response, and do not create an attorney-client relationship with Morrison & Foerster. If you are not already a client of Morrison & Foerster, do not include any confidential information in this message. Also, please note that our attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.