Back

Establish, implement, and maintain a consumer credit report policy.


CONTROL ID
00257
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Privacy protection for information and data, CC ID: 00008

This Control has the following implementation support Control(s):
  • Prohibit intentionally misleading credit reports from being provided to other third parties., CC ID: 00258
  • Limit the use or disclosure of credit reports by mortgage insurers., CC ID: 00259
  • Limit the use or disclosure of credit reports by corporations., CC ID: 00260
  • Limit the use or disclosure of credit reports by legal advisors., CC ID: 00261
  • Define the credit information disclosure parameters., CC ID: 00262
  • Define the credit provider's nondisclosure requirement exceptions for personal data contained in credit reports that concern creditworthiness., CC ID: 00263


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • A credit reporting agency must not open a credit information file on an individual unless it has information of the kind stated in section 18e(1)(b) or section 18e(1)(ba) to include in the file. (§ 18E(7), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • A credit provider that is or has been in control or possession of a credit report must not use it unless all personal information that is not of a kind listed in section 18e(1) has been deleted. (§ 18L(3)(a), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • A credit provider that is or has been in control or possession of a credit report must not use personal information that is derived from the credit report unless the information is of a kind listed in section 18e(1). (§ 18L(3)(b), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • Permission for collection and registration of financial and credit standing data for the purpose of disclosure to others will be governed by a regulation. A permit by the Data Protection Authority is required for this disclosure. The following provisions of this Act apply: Articles 11, 12, 13, 18, 2… (Art 45.2, Iceland Protection of Privacy as regards the Processing of Personal Data)
  • Credit information agencies may disclose data on debts to public authorities in accordance with the provisions in Chapter 5 of this Act. (§ 15(1), Denmark, The Act on Processing of Personal Data)
  • Information service providers of creditworthiness and credit may only process personal data obtained from public registers and sources set up for that purpose or based on the data subject's information or with his/her consent. The processing is also allowed for the fulfillment or non-fulfillment of … (Art 29, ORGANIC LAW 15/1999 of 13 December on the Protection of Personal Data)
  • Persons engaged in credit data activity may record the name and contact information of a person and data on defaults in performance or payment into a credit data file when the default is established by a judgment or a judgment by default by a court when all appeals have been exhausted, by protest of… (§ 20, Finland Personal Data Protection Act (523/1999))
  • People involved in providing credit information services and financial solvency are not included in the companies under the Law to Regulate Credit Information Companies and they may process personal data: if they register the file; only if they use data from publicly available sources or supplied wi… (Art 12, Colima Personal Data Protection Law (Decree No. 356))
  • Providing credit information services do not require consent when they are related to commercial activities or credit of the transferees. The person in charge of the personal data will report on the solvency and credit of unqualified persons and the feasibility to be subject to pecuniary obligations… (Art 60 ¶ 6, Art 60 ¶ 7, Tlaxcala Law on Access to Public Information and Personal Data Protection)
  • If the client is a financial institution or creditor, are transactions for covered accounts for the client accessed, modified, or processed, including address changes and discrepancies? (§ P.11, Shared Assessments Standardized Information Gathering Questionnaire - P. Privacy, 7.0)
  • A telemarketer may not request money or goods to remove derogatory information from, or improve a person's credit history, credit record or credit rating. (§ 310.4(a)(2), 16 CFR Part 310, Telemarketing Sales Rule (TSR))
  • Creditors must not discriminate against any applicants. (§ 202.4(a), Equal Credit Opportunity Act (Reg. B))
  • Consumer reporting agencies must disclose a consumer's record to the consumer free of charge upon request once per 12-month period. The consumer reporting agencies must provide a toll-free telephone number to request the free credit report. The consumer reporting agency must provide the report no la… (§ 211(a), Fair and Accurate Credit Transactions Act of 2003 (FACT Act))
  • Consumer reporting agencies must disclose a consumer's record to the consumer free of charge upon request once per 12-month period. The consumer reporting agencies must provide a toll-free telephone number to request the free credit report. The consumer reporting agency must provide the report no la… (§ 604(a), § 612(a), § 605(a) thru § 605(f), Fair Credit Reporting Act (FCRA), July 30, 2004)
  • Consumer report users must develop and implement policies and procedures that are reasonable to ensure that the user can reasonably believe that the consumer report he/she receives relates to the consumer that was requested when a notice of address discrepancy is received by the user. Consumer repor… (§ 41.82(c)(1), § 41.82(d)(1), § 222.82(c)(1), § 222.82(d)(1), § 334.82(c)(1), § 334.82(d)(1), § 571.82(c)(1), § 571.82(d)(1), § 681.1(c)(1), § 681.1(d)(1), § 717.82(c)(1), § 717.82(d)(1), Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003, Final Rule, November 9, 2007)
  • Does the member notice include a description of fraud alerts and how a member may place a fraud alert into their consumer report? (IT - 748 Compliance Q 18b, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Does the member notice include a recommendation that the member periodically obtain credit reports and have any information that relates to fraudulent transactions deleted? (IT - 748 Compliance Q 18c, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • When a consumer submits a court order to a consumer reporting agency, the agency must, within 30 days of receipt, use reasonable procedures to block the reporting of information in the consumer's credit report identified in a court order that is the result of a criminal violation of this Act, and th… (§ 13A-8-200(b)(1) thru § 13A-8-200(b)(3), Code of Alabama, Article 10, The Consumer Identity Protection Act, Sections 13A-8-190 thru 13A-8-201)
  • If the organization must notify more than 1,000 Alaska residents about a breach, the organization must also notify all national affected individual reporting agencies, without unreasonable delay, of the distribution, timing, and content of the notices. Organizations subject to the Gramm-Leach-Bliley… (§ 45.48.040, Alaska Personal Information Protection Act, Chapter 48)
  • Each consumer credit reporting agency shall allow consumers to visually inspect all files maintained about the consumer at the time of the request, upon request and after proper identification of the consumer. (§ 1785.10(a), Consumer Credit Reporting Agencies Act, California Civil Code 17851-1785.6)
  • A consumer may choose to have his or her name and address excluded from lists provided by the consumer credit reporting agency by notifying them in writing or by telephone that he or she does not consent to any use of credit reports in connection with to transactions that are not initiated by the co… (§ 1785.11(d)(1), Consumer Credit Reporting Agencies Act, California Civil Code 17851-1785.6)
  • The consumer's choice under section 1785.11(d)(1) shall be effective on the date the consumer notifies the consumer credit reporting agency. (§ 1785.11(d)(2), Consumer Credit Reporting Agencies Act, California Civil Code 17851-1785.6)
  • A consumer's choice under section 1785.11(d)(1) shall terminate after the consumer notifies the credit reporting agency that the choice is no longer effective. (§ 1785.11(d)(3), Consumer Credit Reporting Agencies Act, California Civil Code 17851-1785.6)
  • A consumer may choose to put a security alert on his or her credit report by requesting it in writing or by telephone to the consumer credit reporting agency. (§ 1785.11.1(a), Consumer Credit Reporting Agencies Act, California Civil Code 17851-1785.6)
  • A consumer credit reporting agency shall put the security alert on a consumer's credit report no later than 5 business days after the request is received. (§ 1785.11.1(e), Consumer Credit Reporting Agencies Act, California Civil Code 17851-1785.6)
  • A consumer credit reporting agency shall notify each consumer who requested a security alert with the expiration date of the security alert. (§ 1785.11.1(j), Consumer Credit Reporting Agencies Act, California Civil Code 17851-1785.6)
  • A consumer may choose to place a security freeze on the credit report by requesting it in writing by mail to the credit reporting agency. (§ 1785.11.2(a), Consumer Credit Reporting Agencies Act, California Civil Code 17851-1785.6)
  • A consumer credit reporting agency shall put a security freeze on a credit report no later than 3 business days after the written request is received. (§ 1785.11.2(b), Consumer Credit Reporting Agencies Act, California Civil Code 17851-1785.6)
  • A consumer shall contact the credit reporting agency, request the security freeze be temporarily lifted, and provide proper identification when he or she wants a credit report with a security freeze to be accessed for a specific time or by a specific person. (§ 1785.11.2(d)(1), Consumer Credit Reporting Agencies Act, California Civil Code 17851-1785.6)
  • A consumer shall contact the credit reporting agency, request the security freeze be temporarily lifted, and provide the unique password or personal identification number that was provided by the credit reporting agency when he or she wants a credit report with a security freeze to be accessed for a… (§ 1785.11.2(d)(2), Consumer Credit Reporting Agencies Act, California Civil Code 17851-1785.6)
  • A consumer shall contact the credit reporting agency, request the security freeze be temporarily lifted, and provide the proper information of who will receive the credit report or the time period that it will be available when he or she wants a credit report with a security freeze to be accessed fo… (§ 1785.11.2(d)(3), Consumer Credit Reporting Agencies Act, California Civil Code 17851-1785.6)
  • A consumer credit reporting agency shall temporarily lift or remove a security freeze on the consumer's request only. (§ 1785.11.2(g)(1), Consumer Credit Reporting Agencies Act, California Civil Code 17851-1785.6)
  • A consumer credit reporting agency shall temporarily lift or remove a security freeze on a credit report only if the credit report was frozen due to a material misrepresentation of fact by the consumer. (§ 1785.11.2(g)(2), Consumer Credit Reporting Agencies Act, California Civil Code 17851-1785.6)
  • A security freeze shall remain in effect until the consumer requests that the security freeze be removed. (§ 1785.11.2(j), Consumer Credit Reporting Agencies Act, California Civil Code 17851-1785.6)
  • A consumer credit reporting agency shall remove a security freeze inside of 3 business days after receiving the request, if the consumer provides proper identification and the unique password or personal identification number provided by the credit reporting agency. (§ 1785.11.2(j), Consumer Credit Reporting Agencies Act, California Civil Code 17851-1785.6)
  • Sections 1785.11.1, 1785.11.2, and 1785.11.3 do not apply to a consumer credit reporting agency that acts as a reseller and does not maintain a permanent database of credit information from which new credit reports are generated. (§ 1785.11.4, Consumer Credit Reporting Agencies Act, California Civil Code 17851-1785.6)
  • A consumer credit reporting agency acting pursuant to section 1785.22 shall honor any security freeze that is placed on the security report by another credit reporting agency. (§ 1785.11.4, Consumer Credit Reporting Agencies Act, California Civil Code 17851-1785.6)
  • A check services company or fraud prevention services company which issues reports on fraud incidents or authorizations for approving or processing negotiable instruments or electronic fund transfers are not required to place a security freeze or a security alert in a credit report. (§ 1785.11.6(a), Consumer Credit Reporting Agencies Act, California Civil Code 17851-1785.6)
  • A deposit account information services company which issues reports about account closure due to fraud, Automated Teller Machine abuse, substantial overdrafts, or other negative information about a consumer to banks or financial institutions for reviewing a request for a deposit account is not requi… (§ 1785.11.6(b), Consumer Credit Reporting Agencies Act, California Civil Code 17851-1785.6)
  • A consumer credit reporting agency that provides a credit report containing bankruptcy information shall include the identification of the chapter of title 11 under which the case arose, if it can be ascertained. (§ 1785.13(c), Consumer Credit Reporting Agencies Act, California Civil Code 17851-1785.6)
  • A consumer credit reporting agency shall include in the credit report information any failure to pay overdue child support or spousal support, when the information is provided pursuant to section 4752 or is verified by another federal, state, or local government agency. (§ 1785.13(g), Consumer Credit Reporting Agencies Act, California Civil Code 17851-1785.6)
  • A consumer credit reporting agency shall not generate a credit report with respect to a document acting as a lien or encumbrance, but which has a court order striking or releasing the lien or encumbrance. (§ 1785.135, Consumer Credit Reporting Agencies Act, California Civil Code 17851-1785.6)
  • A consumer credit reporting agency shall not provide a credit report to any person unless it has reasonable grounds to believe the credit report will be used for the purposes stated in section 1785.11. (§ 1785.14(a), Consumer Credit Reporting Agencies Act, California Civil Code 17851-1785.6)
  • Permanently retained identifying information that is maintained in the consumer's file shall be clearly identified so that a person reviewing the file can easily tell the difference between permanently stored identifying information and other identifying information that may be a part of the file. (§ 1785.14(b), Consumer Credit Reporting Agencies Act, California Civil Code 17851-1785.6)
  • A consumer credit reporting agency shall not be required to develop or disclose a credit score if it does not distribute scores used in connection with residential real property loans. (§ 1785.15.1(e)(1), Consumer Credit Reporting Agencies Act, California Civil Code 17851-1785.6)
  • A consumer credit reporting agency shall not be required to develop or disclose a credit score if it does not develop credit scores to assist credit provider's with understanding general credit behavior and predicting future credit behavior. (§ 1785.15.1(e)(2), Consumer Credit Reporting Agencies Act, California Civil Code 17851-1785.6)
  • A consumer credit reporting agency shall not be required to furnish further explanation or process a dispute if it distributes credit scores developed by another organization or person, except that it shall provide the name, address, and website for contacting the developer of the credit score. (§ 1785.15.1(f), Consumer Credit Reporting Agencies Act, California Civil Code 17851-1785.6)
  • A consumer credit reporting agency shall not be required to maintain credit scores in its files. (§ 1785.15.1(g), Consumer Credit Reporting Agencies Act, California Civil Code 17851-1785.6)
  • A consumer credit reporting agency shall clearly and conspicuously disclose to the consumer his or her rights to request a notification to be sent to persons who received the credit report, at or before the time information is deleted or the agency receives the consumer's statement. (§ 1785.16(h), Consumer Credit Reporting Agencies Act, California Civil Code 17851-1785.6)
  • A creditor may not sell a consumer debt to a debt collector, if the consumer is a victim of identity theft and the creditor has received notice of the identity theft. (§ 1785.16.2(a), Consumer Credit Reporting Agencies Act, California Civil Code 17851-1785.6)
  • The provisions of sections 1785.16(k) and 1785.16(l) do not apply to consumer credit reporting agencies that act only as resellers by assembling and merging database information from another Consumer Reporting Agency and, it does not maintain a permanent database of the credit information that it us… (§ 1785.16.3, Consumer Credit Reporting Agencies Act, California Civil Code 17851-1785.6)
  • A consumer credit reporting agency that compiles and reports consumer information that is from public records shall state the source of the public record information in any report containing the information, including the particular court, if any, and the date the information was initially publicize… (§ 1785.18(a), Consumer Credit Reporting Agencies Act, California Civil Code 17851-1785.6)
  • A consumer credit reporting agency that provides credit reports for employment purposes and compiles and reports information from public records and which are likely to have an adverse effect on the consumer's ability to gain employment shall maintain strict procedures to ensure the public record in… (§ 1785.18(b), Consumer Credit Reporting Agencies Act, California Civil Code 17851-1785.6)
  • A consumer credit reporting agency that provides credit reports for employment purposes shall not report a consumer's age, color, race, marital status, or creed. (§ 1785.18(c), Consumer Credit Reporting Agencies Act, California Civil Code 17851-1785.6)
  • A person who takes adverse action on a consumer and the adverse action is based on information contained in a consumer credit report shall provide the consumer with a written notice of the adverse action. (§ 1785.20(a)(1), Consumer Credit Reporting Agencies Act, California Civil Code 17851-1785.6)
  • A person who takes adverse action on a consumer and the adverse action is based on information contained in a consumer credit report shall provide the consumer with the name, address, and telephone number of the credit reporting agency that provided the credit report. (§ 1785.20(a)(2), Consumer Credit Reporting Agencies Act, California Civil Code 17851-1785.6)
  • A person who takes adverse action on a consumer and the adverse action is based on information contained in a consumer credit report shall provide the consumer with a statement that the credit grantor's decision for adverse action was based on information in the credit report. (§ 1785.20(a)(3), Consumer Credit Reporting Agencies Act, California Civil Code 17851-1785.6)
  • A person who uses a credit report in conjunction with a credit transaction that is not initiated by the consumer and consists of a firm offer of credit shall furnish the consumer with a clear and conspicuous statement that the information in the prequalifying report was used in connection with the t… (§ 1785.20.1(a)(1), Consumer Credit Reporting Agencies Act, California Civil Code 17851-1785.6)
  • A person who uses a credit report in conjunction with a credit transaction that is not initiated by the consumer and consists of a firm offer of credit shall furnish the consumer with a clear and conspicuous statement that the consumer received the credit offer because the consumer satisfied the cre… (§ 1785.20.1(a)(2), Consumer Credit Reporting Agencies Act, California Civil Code 17851-1785.6)
  • A person who uses a credit report in conjunction with a credit transaction that is not initiated by the consumer and consists of a firm offer of credit shall furnish the consumer with a clear and conspicuous statement that credit may not be extended if the consumer does not meet the criteria used fo… (§ 1785.20.1(a)(3), Consumer Credit Reporting Agencies Act, California Civil Code 17851-1785.6)
  • A person who uses a credit report in conjunction with a credit transaction that is not initiated by the consumer and consists of a firm offer of credit shall furnish the consumer with a clear and conspicuous statement that the consumer has the right to prohibit the use of information in the file in … (§ 1785.20.1(a)(4), Consumer Credit Reporting Agencies Act, California Civil Code 17851-1785.6)
  • Section 1785.20.1(a) does not apply to a person who procures the prequalifying report and clearly and conspicuously discloses that the report might be provided and used by persons who might be affiliated in a way stated in section 1785.20.1(b)(1). (§ 1785.20.1(b)(2), Consumer Credit Reporting Agencies Act, California Civil Code 17851-1785.6)
  • A person who uses a credit score other than one provided by a credit reporting agency may satisfy the obligation to furnish a credit score by disclosing the credit score and key factors supplied by the credit reporting agency to the consumer as soon as reasonably practicable. (§ 1785.20.2(c), Consumer Credit Reporting Agencies Act, California Civil Code 17851-1785.6)
  • Section 1785.20.2 shall not require a person to explain the provided information pursuant to section 1785.15.1. (§ 1785.20.2(e)(1), Consumer Credit Reporting Agencies Act, California Civil Code 17851-1785.6)
  • Section 1785.20.2 shall not require a person to disclose any information other than the credit score and key factors. (§ 1785.20.2(e)(2), Consumer Credit Reporting Agencies Act, California Civil Code 17851-1785.6)
  • Section 1785.20.2 shall not require a person disclose a credit score or related information that was received by the user after the loan has closed. (§ 1785.20.2(e)(3), Consumer Credit Reporting Agencies Act, California Civil Code 17851-1785.6)
  • Section 1785.20.2 shall not require a person to furnish more than 1 disclosure per loan transaction. (§ 1785.20.2(e)(4), Consumer Credit Reporting Agencies Act, California Civil Code 17851-1785.6)
  • Section 1785.20.2 shall not require a person to furnish the required disclosure when another person made the disclosure to the consumer for the loan transaction. (§ 1785.20.2(e)(5), Consumer Credit Reporting Agencies Act, California Civil Code 17851-1785.6)
  • The user of a credit report for employment purposes shall provide a written notice to the consumer before requesting the credit report that notifies the consumer the report will be used, the source of the credit report, and a box the consumer may check to receive a copy of the credit report. (§ 1785.20.5(a), Consumer Credit Reporting Agencies Act, California Civil Code 17851-1785.6)
  • When a consumer indicates he or she wants a copy of the credit report, the credit report user shall request a copy be furnished to the consumer when the user requests the credit report from the credit reporting agency, and the credit reports shall be furnished contemporaneously and at no charge. (§ 1785.20.5(a), Consumer Credit Reporting Agencies Act, California Civil Code 17851-1785.6)
  • A person may not buy a credit report for the purpose of reselling it, unless the person discloses to the credit reporting agency the identity of the ultimate end user and each permissible purpose the credit report is furnished for. (§ 1785.22(a), Consumer Credit Reporting Agencies Act, California Civil Code 17851-1785.6)
  • A person who buys a credit report for reselling it shall establish and comply with procedures to ensure the credit report or information is resold only for purposes for which the credit report may be furnished. (§ 1785.22(b)(1), Consumer Credit Reporting Agencies Act, California Civil Code 17851-1785.6)
  • A person shall not furnish information to a credit reporting agency for a specific transaction if the person knows or should know that the information is inaccurate or incomplete. (§ 1785.25(a), Consumer Credit Reporting Agencies Act, California Civil Code 17851-1785.6)
  • A person who provides information to a credit reporting agency on a regular basis about a consumer who has an open-end account shall notify the credit reporting agency when the consumer closes the account. (§ 1785.25(d), Consumer Credit Reporting Agencies Act, California Civil Code 17851-1785.6)
  • A person who puts a delinquent account for collection, charges the delinquent account for profit or loss, or takes similar action, and provides the information to a credit reporting agency about the action, shall include the starting date of the delinquency in the notice. (§ 1785.25(e), Consumer Credit Reporting Agencies Act, California Civil Code 17851-1785.6)
  • The consumer may require the credit reporting agency to state on credit reports that the information is under dispute. (§ 1785.30, Consumer Credit Reporting Agencies Act, California Civil Code 17851-1785.6)
  • If the organization must notify more than 1,000 affected individuals about a breach, the organization must also notify all national consumer reporting agencies, without unreasonable delay of the distribution, timing, and content of the notices. This requirement does not apply to organizations subjec… (§ 28-3852(c), District of Columbia Official Code, Division V Local Business Affairs, Title 28. Commercial Instruments and Transactions, Chapter 38. Consumer Protections, Subchapter II. Consumer Security Breach Notification)
  • If the organization must notify more than 1,000 affected individuals about a breach, the organization must also notify all national consumer reporting agencies, without unreasonable delay, of the distribution, timing, and content of the notices. (§ 817.5681(12), Florida Statutes, Section 817.5681, Breach of security concerning confidential personal information in third-party possession)
  • § 10-1-912(d) If the organization must notify more than 10,000 affected individuals about a security breach, the information broker must also notify all national consumer reporting agencies, without unreasonable delay, of the distribution, timing, and content of the notices. § 10-1-914(o) In accor… (§ 10-1-912(d), § 10-1-914(o), Georgia Code, Title 10, Chapter 1, Article 34, Sections 10-1-911 thru 10-1-915, Notification required upon breach of security regarding personal information)
  • If the organization must notify more than 1,000 Hawaii residents about a breach, the organization must also notify in writing all national consumer reporting agencies and the State of Hawaii's office of consumer protection, without unreasonable delay, of the distribution, timing, and content of the … (§ 487N-2(f), Hawaii Revised Statute, Section 487N, Security Breach of Personal Information)
  • If a State agency must notify more than 1,000 affected individuals about a breach, the organization must also notify all national consumer reporting agencies, without unreasonable delay, of the distribution, timing, and content of the notices. (§ 530/12(d), Illinois Compiled Statutes, Chapter 815, ILCS 530/Personal Information Protection Act.)
  • If the organization must notify more than 1,000 affected individuals about a security breach, the organization must also notify all national consumer reporting agencies information necessary to aid the agency in preventing fraud. (§ 24-4.9-3-1(b), Indiana Code 24, Article 4.9, Disclosure of Security Breach)
  • If the organization must notify more than 1,000 affected individuals about a breach, the organization must also notify all national consumer reporting agencies of the distribution, timing, and content of the notices without unreasonable delay. (§ 4-1-11-10, Indiana Code 24, Notice of Security Breach, Chapter 11)
  • If the organization must notify more than 1,000 Kansas residents about a security breach, the organization must also notify all national consumer reporting agencies without unreasonable delay of the distribution, timing, and content of the notices. (§ 50-7a02(f), Kansas Statutes, Chapter 50, Article 7a, Protection Of Consumer Information)
  • If the organization must notify more than 1,000 affected individuals about a security breach, the organization must also notify all national consumer reporting agencies without unreasonable delay. The notice to the consumer reporting agencies must include the breach date, estimated number of individ… (§ 1348.4, Maine Revised Statutes Title 10, Part 3, Chapter 210-B, Notice of Risk to Personal Data)
  • If the organization must notify (under § 14-3504 of this subtitle) more than 1,000 individuals about a breach, the organization must also notify all national consumer reporting agencies without unreasonable delay of the distribution, timing, and content of the notices. (§ 14-3506(a), Maryland Commercial Law, Subtitle 35, Maryland Personal Information Protection Act, Sections 14-3501 thru 14-3508)
  • When the organization must notify more than 1,000 affected individuals about a security breach, the organization must also notify all national consumer reporting agencies, without unreasonable delay, of the distribution, timing, and content of the notices. (§ 13.055 Subd 5, Minnesota Statutes, Section 13.055, State Agencies; Disclosure of Breach in Security)
  • If the organization must notify more than 500 affected individuals about a breach, the organization must also notify all national consumer reporting agencies within 48 hours of the distribution, timing, and content of the notices. (§ 325E.61 Subd 2, Minnesota Statutes, Section 325E.61, Data Warehouses; Notice Required For Certain Disclosures)
  • If the organization must notify more than 1,000 Missouri residents at one time about a breach, the organization must also alert the attorney general's office and all national consumer reporting agencies, without unreasonable delay, of the notice - its distribution, timing, and content. (§ 407.1500.2(8), Missouri Revised Statutes, Chapter 407 Merchandising Practices. Section 407.1500)
  • § 30-14-1704(7) If the organization notifies an affected individual about a security breach and suggests, implies, or indicates that the affected individual may get a copy of his/her file from a consumer credit reporting agency, the organization must also coordinate the distribution, timing, and co… (§ 30-14-1704(7), § 30-14-1734(2), Montana Code - Part 17: IMPEDIMENT OF IDENTITY THEFT)
  • The credit report protection act does not apply to the use of a credit report or information derived from the credit file by a person, entity, subsidiary, affiliate, agent of that person or entity, an assignee of a financial obligation owing by the consumer to that person or entity, or a prospective… (§ 8-2613(1), Nebraska Revised Statutes, Sections 8-2061 thru 8-2615, Credit Report Protection Act)
  • The credit report protection act does not apply to the use of a credit report or the information derived from the credit file by a subsidiary, agent, assignee, affiliate, or prospective assignee who has already been granted access for facilitating the extension of credit or other allowable use. (§ 8-2613(2), Nebraska Revised Statutes, Sections 8-2061 thru 8-2615, Credit Report Protection Act)
  • The credit report protection act does not apply to the use of a credit report or the information derived from the credit file by a federal, state, or local government, including a Law Enforcement Agency, court, or their assignees. (§ 8-2613(3), Nebraska Revised Statutes, Sections 8-2061 thru 8-2615, Credit Report Protection Act)
  • The credit report protection act does not apply to the use of a credit report or the information derived from the credit file by a private collection agency that is acting under a warrant, court order, or subpoena. (§ 8-2613(4), Nebraska Revised Statutes, Sections 8-2061 thru 8-2615, Credit Report Protection Act)
  • The credit report protection act does not apply to the use of a credit report or the information derived from the credit file by a person or entity for prescreening. (§ 8-2613(5), Nebraska Revised Statutes, Sections 8-2061 thru 8-2615, Credit Report Protection Act)
  • The credit report protection act does not apply to the use of a credit report or the information derived from the credit file by a person or entity that administers a credit file monitoring subscription service the consumer has subscribed to. (§ 8-2613(6), Nebraska Revised Statutes, Sections 8-2061 thru 8-2615, Credit Report Protection Act)
  • The credit report protection act does not apply to the use of a credit report or the information derived from the credit file by a person or entity that is providing a copy of the credit report or other information derived from the credit file to the consumer after a request for a copy. (§ 8-2613(7), Nebraska Revised Statutes, Sections 8-2061 thru 8-2615, Credit Report Protection Act)
  • The credit report protection act does not apply to the use of a credit report or the information derived from the credit file by a person or entity to use to set or adjust a rate, adjust a claim, or underwrite for insurance purposes. (§ 8-2613(8), Nebraska Revised Statutes, Sections 8-2061 thru 8-2615, Credit Report Protection Act)
  • A check services company or fraud prevention services company that issues fraud incident reports or authorization incident reports for the approval or processing of negotiable instruments, electronic fund transfers, or similar payment methods are not considered Consumer Reporting Agencies and are no… (§ 8-2614(1), Nebraska Revised Statutes, Sections 8-2061 thru 8-2615, Credit Report Protection Act)
  • A deposit account information service company that issues reports about account closures due to substantial overdrafts, fraud, Automatic Teller Machine abuse, and other similar negative information to banks and financial institutions to review a consumer request for a deposit account are not conside… (§ 8-2614(2), Nebraska Revised Statutes, Sections 8-2061 thru 8-2615, Credit Report Protection Act)
  • A Consumer Reporting Agency that is acting only as a reseller by assembling and merging database information from another Consumer Reporting Agency and does not maintain a permanent database of credit information to produce new credit reports are not considered Consumer Reporting Agencies and are no… (§ 8-2614(3), Nebraska Revised Statutes, Sections 8-2061 thru 8-2615, Credit Report Protection Act)
  • If the organization must notify more than 1,000 affected individuals about a security breach, the organization must also notify all national consumer reporting agencies without unreasonable delay, of the timing and content of the notices. (§ 603A.220(6), Nevada Revised Statutes, Chapter 603A, Security of Personal Information)
  • If the organization must notify more than 1,000 affected individuals about a breach, the organization must also notify all national consumer reporting agencies, without unreasonable delay, of the date affected individuals will be notified, how many affected individuals will be notified, and the cont… (§ 359-C:20.VI, New Hampshire Statute, Title XXXI, Chapter 359-C, Right to Privacy, Notice of Security Breach)
  • If the organization must notify more than 1,000 affected individuals about a breach, the organization must also notify all national consumer reporting agencies, without unreasonable delay of the distribution, timing, and content of the notices. (§ 56:8-163.f, New Jersey Permanent Statutes, Title 56, Security of Personal Information)
  • If the organization must notify more than 5,000 New York residents about a security breach, the organization must also notify all national consumer reporting agencies of the distribution, timing, distribution, and content of the notices and the number of affected persons. This notice must not delay … (§ 899-aa.8(b), New York General Business Law Chapter 20, Article 39-F, Section 899-aa)
  • § 75-65(f) If the organization must notify more than 1,000 affected individuals about a breach, the organization must also notify all national consumer reporting agencies and the Consumer Protection Division of the Attorney General's Office, without unreasonable delay, of the distribution, timing, … (§ 75-65(f), § 75-63(n), North Carolina Statutes, Chapter 75, Article 2A, Identity Theft Protection Act, Sections 75-60 thru 75-66)
  • If the organization must notify more than 1,000 affected individuals about a breach, the organization must also notify all national consumer reporting agencies, without unreasonable delay, of the distribution, timing, and content of the notices. (§ 1349.19(G), Ohio Revised Code, Title XIII, Chapter 1347, Section 1347.12, Agency disclosure of security breach of computerized personal information data)
  • If a state agency or political subdivision agency must notify more than 1,000 affected individuals about a security breach, the state agency or political subdivision agency must also notify all national consumer reporting agencies, without unreasonable delay, of the distribution, timing, and content… (§ 1347.12(F), Ohio Revised Code, Title XIII, Chapter 1349, Section 1349.19, Private disclosure of security breach of computerized personal information data, 2009)
  • If a consumer report does not exist for a protected consumer on behalf of whom a representative seeks to place a security freeze, a consumer reporting agency shall create a protective record after receiving from the representative the request described in ORS 646A.606 (1), proper identification for … (§ 646A.608(1)(b), Oregon Revised Statutes, Chapter 646a, Sections 646A.600 thru 646A.624, Identity Theft Protection Act, 2007 Statutes)
  • A consumer reporting agency shall place a security freeze on a consumer report not later than five business days after receiving from a consumer: (§ 646A.608(1)(a), Oregon Revised Statutes, Chapter 646a, Sections 646A.600 thru 646A.624, Identity Theft Protection Act, 2007 Statutes)
  • The unique personal identification number or password or similar device the consumer reporting agency provided under subsection (2) of this section; and (§ 646A.608(5)(a)(B), Oregon Revised Statutes, Chapter 646a, Sections 646A.600 thru 646A.624, Identity Theft Protection Act, 2007 Statutes)
  • A fee, if applicable. (§ 646A.608(5)(a)(C), Oregon Revised Statutes, Chapter 646a, Sections 646A.600 thru 646A.624, Identity Theft Protection Act, 2007 Statutes)
  • A security freeze for a protective record must remain in place until the protected consumer or a representative requests, using a point of contact the consumer reporting agency designates, that the security freeze be removed or that the protective record be deleted. The consumer reporting agency doe… (§ 646A.608(5)(b), Oregon Revised Statutes, Chapter 646a, Sections 646A.600 thru 646A.624, Identity Theft Protection Act, 2007 Statutes)
  • A consumer reporting agency that acts only as a reseller of credit information by assembling and merging information contained in the database of another consumer reporting agency or multiple consumer reporting agencies, and does not maintain a database of credit information from which new consumer … (§ 646A.618(2)(a), Oregon Revised Statutes, Chapter 646a, Sections 646A.600 thru 646A.624, Identity Theft Protection Act, 2007 Statutes)
  • Proper identification; (§ 646A.608(4)(a), Oregon Revised Statutes, Chapter 646a, Sections 646A.600 thru 646A.624, Identity Theft Protection Act, 2007 Statutes)
  • The consumer reporting agency shall send a written confirmation of a security freeze on a consumer's consumer report to the consumer at the last known address for the consumer shown in the consumer report that the consumer reporting agency maintains, within 10 business days after placing the securit… (§ 646A.608(2)(a), Oregon Revised Statutes, Chapter 646a, Sections 646A.600 thru 646A.624, Identity Theft Protection Act, 2007 Statutes)
  • Proper identification; and (§ 646A.608(1)(a)(B), Oregon Revised Statutes, Chapter 646a, Sections 646A.600 thru 646A.624, Identity Theft Protection Act, 2007 Statutes)
  • A fee, if applicable. (§ 646A.608(1)(a)(C), Oregon Revised Statutes, Chapter 646a, Sections 646A.600 thru 646A.624, Identity Theft Protection Act, 2007 Statutes)
  • A protective record is not subject to a temporary lift of a security freeze. (§ 646A.608(3)(b), Oregon Revised Statutes, Chapter 646a, Sections 646A.600 thru 646A.624, Identity Theft Protection Act, 2007 Statutes)
  • The unique personal identification number or password or similar device the consumer reporting agency provided under subsection (2) of this section; (§ 646A.608(4)(b), Oregon Revised Statutes, Chapter 646a, Sections 646A.600 thru 646A.624, Identity Theft Protection Act, 2007 Statutes)
  • An indication of the period of time during which the consumer report must be available to users of the consumer report; and (§ 646A.608(4)(c), Oregon Revised Statutes, Chapter 646a, Sections 646A.600 thru 646A.624, Identity Theft Protection Act, 2007 Statutes)
  • A security freeze for a consumer report must remain in place until the consumer requests, using a point of contact the consumer reporting agency designates, that the security freeze be removed. A consumer reporting agency shall remove a security freeze within three business days after receiving a re… (§ 646A.608(5)(a), Oregon Revised Statutes, Chapter 646a, Sections 646A.600 thru 646A.624, Identity Theft Protection Act, 2007 Statutes)
  • Proof that the representative's authority to act on the protected consumer's behalf is no longer valid or applicable, if the protected consumer seeks to remove the security freeze or delete the protective record; and (§ 646A.608(5)(b)(C), Oregon Revised Statutes, Chapter 646a, Sections 646A.600 thru 646A.624, Identity Theft Protection Act, 2007 Statutes)
  • A fee, if applicable. (§ 646A.608(5)(b)(D), Oregon Revised Statutes, Chapter 646a, Sections 646A.600 thru 646A.624, Identity Theft Protection Act, 2007 Statutes)
  • A consumer reporting agency shall temporarily lift or remove a security freeze placed on a consumer report only if a consumer requests that the consumer reporting agency lift or remove the security freeze for the consumer report in accordance with ORS 646A.608. (§ 646A.612(1)(a), Oregon Revised Statutes, Chapter 646a, Sections 646A.600 thru 646A.624, Identity Theft Protection Act, 2007 Statutes)
  • Except as provided in ORS 646A.612 (2)(a), a consumer report for a protected consumer is not subject to a temporary lift of a security freeze. (§ 646A.608(3)(c), Oregon Revised Statutes, Chapter 646a, Sections 646A.600 thru 646A.624, Identity Theft Protection Act, 2007 Statutes)
  • A consumer reporting agency shall remove a security freeze from a protected consumer's consumer report or protective record or delete a protective record only if the protected consumer or a representative requests that the consumer reporting agency remove the security freeze from the consumer report… (§ 646A.612(1)(b), Oregon Revised Statutes, Chapter 646a, Sections 646A.600 thru 646A.624, Identity Theft Protection Act, 2007 Statutes)
  • The unique personal identification number or password or similar device the consumer reporting agency provided under subsection (2) of this section; (§ 646A.608(3)(a)(B), Oregon Revised Statutes, Chapter 646a, Sections 646A.600 thru 646A.624, Identity Theft Protection Act, 2007 Statutes)
  • An indication of the period of time during which the consumer report must be available to users of the consumer report; and (§ 646A.608(3)(a)(C), Oregon Revised Statutes, Chapter 646a, Sections 646A.600 thru 646A.624, Identity Theft Protection Act, 2007 Statutes)
  • If the state agency must notify more than 1,000 affected individuals about a breach, the organization must also notify all national consumer reporting agencies and the Consumer Protection Division of the Department of Consumer Affairs, without unreasonable delay, of the distribution, timing, and con… (§ 1-11-490(I), South Carolina Code of Laws, Section 1-11-490, Breach of security of state agency data notification, 2008 Session)
  • If the organization must notify more than 1,000 affected individuals about a security breach, the organization must also notify all national consumer reporting agencies and the Consumer Protection Division of the Department of Consumer Affairs, without unreasonable delay of the distribution, timing,… (§ 39-1-90(K), South Carolina Code of Laws, Sections 16-13-512, Credit Card, and 39-1-90, Breach of security of business data notification, 2008 Session)
  • A consumer reporting agency that acts only as a reseller of credit information by assembling and merging information contained in the database of another consumer reporting agency or multiple consumer credit reporting agencies, and does not maintain a permanent data base of credit information from w… (§ 47-18-2108(n)(1), Tennessee Code, Title 47, Chapter 1,8 Part 21, Identity Theft Deterrence, Sections 47-18-2101 thru 47-18-2110)
  • A consumer reporting agency shall place a security freeze on a consumer report no later than three (3) business days after receiving the written or electronic request from the Tennessee consumer. (§ 47-18-2108(b), Tennessee Code, Title 47, Chapter 1,8 Part 21, Identity Theft Deterrence, Sections 47-18-2101 thru 47-18-2110)
  • The consumer reporting agency shall send a written confirmation of the security freeze to the Tennessee consumer within ten (10) business days of placing the security freeze on the consumer report, and shall provide the Tennessee consumer with a unique personal identification number or password, oth… (§ 47-18-2108(c), Tennessee Code, Title 47, Chapter 1,8 Part 21, Identity Theft Deterrence, Sections 47-18-2101 thru 47-18-2110)
  • Except as provided in subsections (d), (e), and (f), a security freeze shall remain in place until the Tennessee consumer requests that the security freeze be removed permanently. A consumer reporting agency shall permanently remove a security freeze no later than two (2) business days from the rece… (§ 47-18-2108(j), Tennessee Code, Title 47, Chapter 1,8 Part 21, Identity Theft Deterrence, Sections 47-18-2101 thru 47-18-2110)
  • If a Tennessee consumer requests a security freeze pursuant to this section, the consumer reporting agency shall disclose to the Tennessee consumer the process of placing and temporarily lifting a security freeze and the process for allowing access to information from the consumer report for a speci… (§ 47-18-2108(i), Tennessee Code, Title 47, Chapter 1,8 Part 21, Identity Theft Deterrence, Sections 47-18-2101 thru 47-18-2110)
  • You have a right to place a "security freeze" on your credit report, which will prohibit a consumer reporting agency from releasing information in your credit report without your express authorization. A security freeze must be requested in writing by certified mail or by electronic means as provide… (§ 47-18-2109 ¶ 1 Sub ¶ 2, Tennessee Code, Title 47, Chapter 1,8 Part 21, Identity Theft Deterrence, Sections 47-18-2101 thru 47-18-2110)
  • A consumer report agency shall not charge a Tennessee consumer to place, temporarily lift, or permanently remove a security freeze. (§ 47-18-2108(l), Tennessee Code, Title 47, Chapter 1,8 Part 21, Identity Theft Deterrence, Sections 47-18-2101 thru 47-18-2110)
  • If the organization must notify more than 10,000 affected individuals about a breach, the organization must also notify all national consumer reporting agencies, without unreasonable delay, of the distribution, timing, and content of the notices. (§ 521.053(h), Texas Business and Commercial Code, Title 11, Subtitle B, Chapter 521, Subchapter A, Section 521)
  • If the organization must notify more than 1,000 Vermont residents about a breach, the organization must also notify all national consumer reporting agencies, without unreasonable delay, of the distribution, timing, and content of the notices. This requirement is not applicable for organizations lice… (§ 2435(c), Vermont Statute, Title 9, Chapter 62, Protection of Personal Information, Sections 2430, 2435, 2440, 2445)
  • If the organization must notify more than 1,000 affected individuals about a security breach, it must also notify all national consumer reporting agencies and the Office of the Attorney General, without unreasonable delay, of the distribution, timing, and content of the notice. (§ 18.2-186.6.E, Virginia Code, Title 18.2, Chapter 6, Breach of personal information notification, Section 18.2-186.6)
  • If the organization must notify more than 1,000 affected individuals about a breach, the organization must also notify all national consumer reporting agencies, without unreasonable delay, of the distribution, timing, and content of the notices. Organizations subject to Title V of the Gramm-Leach-Bl… (§ 46A-2A-102(f), West Virginia Code Chapter 46A Article 2A Breach of Security of Consumer Information § 46A-2A-101 thru § 46A-2A-105, 2009 Legislative Session)
  • If the organization must notify more than 1,000 affected individuals about a breach, the organization must also notify all national consumer reporting agencies, without unreasonable delay, of the distribution, timing, and content of the notices. (§ 134.98(2)(br), Wisconsin Statute, Chapter 134, Notice of unauthorized acquisition of personal information, Section 134.98, 2008 Session)
  • In accordance with this Code, except when a security freeze has been placed on a consumer credit report by another consumer credit reporting agency from which the information was obtained,the following persons are not required to a place security freeze into a consumer credit report: a fraud preven… (40-12-505(d), Wyoming Statutes, Title 40, Article 5, Breach of the security of the data system, Sections 40-12-501 thru 40-12-509)
  • At the data owner's request, the person responsible for or the user of the data bank (for credit information services) must communicate reports, appraisals, and evaluations about the data owner that took place over the last 6 months, along with the name and address of the recipient, if the data was … (§ 26.3, Argentina Personal Data Protection Act)