Federal legislation recently took effect that prohibits consumer reporting agencies from charging a fee to place or remove (lift) a security freeze on a consumer credit report in response to a consumer request. The “Economic Growth, Regulatory Relief, and Consumer Protection Act” (the Act) was passed on May 24, 2018. The Act includes important updates to the Fair Credit Reporting Act (FCRA) that may in turn affect the information that businesses provide to customers or clients in response to a data breach or similar security incident.

As of September 21, 2018, Section 301 of the Act updates FCRA to expand consumer credit protections. Specifically, Section 301 newly enables a consumer to obtain – free of charge – a nationwide security freeze on a credit report by submitting a request to the nationwide consumer reporting agencies (Equifax, Experian and TransUnion). Previously, fees for placing and lifting a security freeze were generally set by state law, and as a result consumers were subject to a patchwork of differing laws (and fees) across the country based on their state of residence (see here for our analysis of recent changes to Connecticut’s law).

Section 301 of the Act also amends FCRA to allow a consumer to request a security freeze from a consumer reporting agency by phone or secure electronic means (online), whereas previously consumers generally had to request such freezes by mail. The Act sets the deadline for a consumer reporting agency to place a security freeze requested by phone or secure electronic means at 1 business day after receiving the request, whereas such agencies have up to 3 business days to place a security freeze in response to a request received by mail. Similarly, the Act requires a consumer reporting agency to lift a security freeze within 1 hour of receiving a request to do so via secure electronic means or telephone, but gives such agencies 3 business days to remove a security freeze in response to a mailed request. A security freeze will remain in place until a consumer requests its removal (except that a consumer reporting agency can lift a security freeze if it finds that the freeze was obtained on the basis of a material misrepresentation).

The Act correspondingly implements a new requirement that consumer reporting agencies establish websites that allow a consumer to request (i) a security freeze, (ii) an initial fraud alert, (iii) an extended fraud alert, or (iv) an active duty fraud alert, provided that such websites cannot be the only mechanism by which a consumer may request a security freeze.

Section 301 extends to 1 year (from the current requirement of 90 days) the period of time that a consumer reporting agency is obligated to include a fraud alert in the file of a consumer in response to a request from (or on behalf of) the consumer where there is a good faith belief that the consumer has been or is about to become the victim of fraud or a related crime (such as identity theft).

Finally, Section 301 includes standard language for certain notifications to consumers which must be provided any time a consumer is required to receive a summary of rights under FCRA. The standard language provides a government-endorsed template that may also be used by businesses other than consumer reporting agencies in communications with consumers, such as in response to a data breach or similar event. Section 301 also implements legislative protections under FCRA for “protected consumers” (consumers under the age of 16 at the time a request for a security freeze is made, or who are incapacitated or under protection of a guardian or conservator) that are consistent with those described above for consumers.