December 16, 2015

New European Privacy Plan Announced

Earlier this week, the European Parliament and Council announced they have (finally) agreed upon a new General Data Protection Regulation (the GDPR).  This is really big news for all U.S. companies that do business in Europe or with Europeans.

The GDPR has not yet been voted into law, but the agreed-upon language is probably quite close to the final law.  The International Association of Privacy Professionals (of which I'm a certified member) has published a great, concise list of the key provisions, which I commend to you:

• The law applies to any controller or processor of EU citizen data, regardless of where the controller or processer is headquartered.

• Notification of a data breach that creates significant risk for the data subjects involved must be made within 72 hours of the discovery of the breach.

• New powers are provided to data protection authorities, including the ability to fine organizations up to four percent of their annual revenue.

• Many organizations will now be required to appoint a data protection officer.

• Personal data may only be collected for “specified, explicit and legitimate purposes."  The text also introduces principles of “data minimization,” “accuracy,” “storage limitation” and “integrity and confidentiality.”

• The GDPR requires “accountability,” which means the “controller shall be responsible for and be able to demonstrate compliance” with the law.

• Processing of data will only be allowed with explicit consent, to perform a contract, to comply with a legal obligation, to protect the vital interests of the data subject, or to perform a task in the public interest.

• That consent has to be demonstrable upon demand, can be retracted by the data subject at any time.

• There will still be variation from member state to member state.

• Children under the age of 16 will need to get parental approval to give consent unless the member nation passes a law to lower the age no lower than 13.

• Special categories of personal data are established that include genetic, biometric, health, racial and political data, among others.

• Data controllers have to provide any information they hold about a data subject free of charge and within one month of request.

• A “right to erasure” is established, where controllers are required to delete personal data...even if the data has been made public already.

The next legislative step is for the EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs ("LIBE Committee") to vote on the text tomorrow  (December 17) and if it passes, the full Parliament is expected to vote in January.

There is much more to come on this very significant development. 


December 1, 2015

PSA: New North Carolina Laws Become Effective Today (December 1, 2015)

The law is ever-changing, which is part of the reason I find it fascinating.  Several new North Carolina laws become effective today, December 1st.  Many of them are criminal laws, but some that may be of interest to business owners and managers including the following:
 - Electronic signature and notarization on vehicle titles [SL 2015-270 / SB 370]
 - An omnibus regulatory reform bill [SL 2015-286] that, among other things:
  • Repeals the offense of "using profane or indecent language on public highways, except in certain counties;
  • Repeals the offense of refusing to relinquish party telephone line in emergency;
  • Exclusion of volunteers and officers of certain nonprofits from the definition of "employee" for purposes of the Worker's Compensation statute;
  • An expansion of the "Good Samaritan" law to allow well-intentioned people to break into a car, boat or aircraft to assist a person in need; and
  • Numerous environmental law changes.

 - Privacy law enhancements (including the so-called "revenge porn" law) [SL 2015-250 / HB 792] (See for more.)

You can find out more about each of these laws and more in the N.C. General Assembly's summary, available here.


October 6, 2015

The EU/US Safe Harbor Is No Longer Safe!
Today, Europe's top court, the European Court of Justice, ruled that a 15-year-old pact between the United States and the European Union which allowed American organizations to handle the personal data of Europeans (the EU/US Safe Harbor) was invalid.  The decision will have massive, far-reaching implications for American businesses and organizations that are active in Europe.

The Backdrop

Trans-Atlantic data transfers involving the personal information of Europeans must comply with the Data Protection Directive, which is a European pact that has been adopted by each member state (i.e., most of Europe, but not Switzerland).  The Directive requires that a transfer of personal data to a non-EU country may take place only if that country ensures an adequate level of data protection and privacy. The Directive also provides that the EU Data Protection Commission may determine that a non-EU country ensures an adequate level of protection as a result of that country's own domestic privacy laws or an international treaty.  
Paris business district.
by Loïc Lagarde flickr

The Facts

The challenge to the Safe Harbor arose in legal proceedings between an Austrian citizen, Mr. Maximilian Schrems, and the Irish Data Protection Commissioner concerning the Commissioner's refusal to investigate a complaint made by Schrems.  Schrems has been a Facebook user since 2008, and some or all of the data provided by Schrems to Facebook was transferred from Facebook’s Irish subsidiary to servers located in the United States. Schrems lodged a complaint with the Irish Commissioner, alleging that, in the light of the revelations made in 2013 by Edward Snowden concerning the activities of the US intelligence services (specifically the NSA), the law and practice of the United States do not offer sufficient protection against surveillance. 

The Issues

In response to Schrems' allegations, Facebook pointed out that it was fully compliant with the EU/US Safe Harbor and the US Department of Commerce's requirements for participation in the Safe Harbor.  The Irish Commissioner refused to consider the complaint because the EU Data Protection Commission had long ago ruled (in 2000) that the EU/US Safe Harbor was a valid basis for the trans-Atlantic transfer of personal data of European citizens.  (As a technical legal matter, the case was a challenge of the validity of Commission Decision 2000/520/EC (26 July 2000) pursuant to Directive 95/46 on the adequacy of the protection provided by the safe harbor privacy principles and related FAQ issued by the US Department of Commerce.)

The Court's Conclusions

The Court concluded that the decision by the EU Data Protection Commission that the EU/US Safe Harbor is valid did not preclude a member nation's Data Protection Commissioner (in this case Ireland) from reaching the opposite conclusion.  The Court ruled that the Irish Commissioner should have heard the complaint and made an independent determination whether the EU/US Safe Harbor provides adequate protection of the personal information of EU citizens in light of the fact that the US government's surveillance programs might not respect the privacy of EU citizens as interpreted under EU law. 

The Court went further to evaluate the 2000 decision of the EU Data Protection Commission.  It determined that in the US, national security, public interest and law enforcement interests prevail over the Safe Harbor scheme, so that United States organizations are required by US law to disregard the protective rules laid down by the Safe Harbor when they conflict with US policy interests.  The Court then concluded that US law, and the Safe Harbor, enable interference by United States national security and law enforcement authorities with the fundamental rights of Europeans. This interference is incompatible with the Directive, said the Court.

Having reached these conclusions, the Court held that the Irish Commissioner was required to evaluate Schrems’ complaint "with all due diligence" and following its "investigation, " was obligated to "decide whether, pursuant to the Directive, transfer of the data of Facebook’s European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data."  The Court essentially remanded the case to the Irish Commissioner with instructions to evaluate the issues, and with the subtext that the EU/US Safe Harbor is inadequate.

You can read the Court's decision here, and the Court's press release here.

No appeal is possible, because the European Court of Justice is the equivalent of the U.S. Supreme Court--the court of last resort.  Simultaneously, European leaders and US officials are negotiating a new agreement on trans-Atlantic data transfers.  Today's decision will no doubt create a new degree of urgency in those talks.

What Does It Mean to Your Organization?

In other words, the Safe Harbor is no longer SAFE at all!The likely outcome of this decision is that transfers of personal data made under the auspices of the Safe Harbor may violate European data protection laws.  In other words the Safe Harbor is not really "safe" after all.  Without the Safe Harbor, each country in the EU could reach different conclusions as to whether US privacy laws and practices satisfy the EU's Directive, which would require US companies to address each member nation's laws individually rather than satisfying a single set of EU requirements.  This could create enormous obstacles to US organizations doing business in Europe.

As a result, organizations are well-advised to take a belt-and-suspenders approach (or "belt-and-braces" as they say across the Atlantic) by ensuring that data transfers are justified on another basis (in addition to compliance with the Safe Harbor). Those other bases include "binding corporate resolutions" (in which the organization essentially passes a binding corporate resolution and to comply with EU law with respect to EU personal data) and "model clauses" (which are contractual obligations to comply with EU privacy requirements).  The binding corporate resolutions and model clauses have frequently been deemed more onerous for US organizations than the Safe Harbor's requirements.  As a result, fewer US organizations have these measures in place.  Many will be scrambling to adopt them in light of the new uncertainty of the "Safe" Harbor. 

August 8, 2015

The Law of Prize Drawings: It's All Fun and Games, Until...

photo by Elliotphotos / foter

Everyone loves a game. Games activate the creative, imaginative portions of our minds in ways that captivate our attention. Games can help organizations engage with people, which is why marketing professionals love games. Businesses, governments and nonprofits have found tremendous success in garnering attention through various sorts of contests and games. Ancient rulers used games to win the allegiance of their subjects.  In more recent times...well, who among us hasn't played McDonald's Monopoly?

The uncertainty of outcomes is part of what makes games fun. Unfortunately, nefarious characters have also used games in unethical ways, causing state and federal governments to enact laws governing the use of certain games. Anyone who wishes to sponsor a game should give thought to whether these laws apply, in order to avoid running afoul of regulatory authorities and being sued in a class action. The following is a basic overview of the federal and North Carolina laws governing games and contests.


State laws restrict lotteries for two primary reasons. First is the potential for harm to the public (especially "problem gamblers"). Second, a state may create a government monopoly on lotteries, which allows it to raise money without competition. The penalties for violating these laws can be significant.
A lottery is generally defined by three elements: a chance for a prize for a price. Not all lotteries are easy to identify. A cash entry fee is certainly a telltale sign of a lottery, however, purchase requirements and noncash entry "prices" can also cause a game to be deemed a lottery. If a purchase is required to enter into a drawing or other game of chance, the event may well be a lottery. Courts in some other states have held that merely requiring participants to travel to the sponsor's premises to register is a sufficient "price" to cause the promotion to be deemed a lottery, even if the participants are not required to buy anything. North Carolina courts have never gone that far, but it should be remembered that nonfinancial, performance-based conditions to entry might cause a promotion to be considered a lottery.
A "raffle" is nothing more than a specific type of lottery. It is a game in which the prize is won by random drawing of the name or number of one or more persons purchasing chances. For-profit entities are prohibited by North Carolina law from hosting a raffle. A tax-exempt nonprofit organization, candidate, political committee, or government entity is permitted to host up to two (2) raffles per year. If a nonprofit hosts the raffle, a certain percentage of the net proceeds must be used for charitable, religious, educational, civic, or other nonprofit purposes. There are also some specific items that the net proceeds of the raffle cannot be used to pay.
Sweepstakes/Prize Drawings
Under federal law, a chance to win a prize for which no money or other item of value is paid is called a "sweepstakes." (Often we see or hear these advertised on television or radio, and the announcer rattles off "no purchase necessary to enter.") There are federal requirements regarding the disclosure of terms and conditions, and other specific items. North Carolina law covers the same subject, although the term "sweepstakes" is not used. The requirements of North Carolina and federal law are similar, but there are a few differences. 
The sponsor of a prize drawing should disclose to each participant the following information: 
  • the name of the organization conducting the contest and its principal business address
  • all conditions that a participant must meet
  • an accurate description of each prize to be awarded
  • the retail value of each prize
  • the number of each prize to be awarded
  • the odds of receiving each prize
The law also contains requirements for the precise placement of certain disclosures on any advertisements.
A disclaimer should be included in all materials related to a sweepstakes or drawing that explains in clear terms that no purchase is necessary to enter or win, and that a purchase will not increase the chances of winning.
In addition to these statutory requirements, there are additional considerations that a drawing or contest sponsor will want to address in order to limit its liability under contract law and tort law. 
Tax Reporting Requirements
The Internal Revenue Code and U.S. Treasury regulations require an organization awarding a prize to file informational returns with the IRS when the prize is valued at a certain amount (currently $600), and to withhold a certain percentage of the winnings (currently 25%) if the value exceeds another amount (currently $5,000). Failing to file or withhold can result in the organization being held liable for the tax.
Alcoholic Beverage Law
North Carolina law addresses the sale or consumption of alcoholic beverages in connection with a game of chance. Sale or consumption of alcohol cannot occur in the same room while a raffle or bingo game is "being conducted." The statute does permit a drawing to occur in an adjacent room where alcohol is not sold nor consumed. Specifically, no alcohol may be sold, served or consumed in a room when any of the following activities are ongoing: when a "prize is won," a "random drawing by name or number" occurs, a person "purchases chances," winners are announces, or prizes are awarded.
Time to Play!
By complying with the applicable state and federal laws, an organization can reap the benefits of a game without the risks. An expert who knows these rules and how to implement them can help an organization quickly and efficiently plan an event that will be fun and effective for everyone.

photo by torbakhopper / foter

Raleigh Attorney Matt Cordell has been named among the best lawyers in North Carolina by numerous organizations and peer surveys. 


July 3, 2015

What Does It Mean To Be "Certified" In Privacy And Information Security?

I recently became certified by the IAPP in information privacy and received the CIPP/US designation. "What does that mean?" you ask? Good question!

What is the CIPP/US designation?

The International Association of Privacy Professionals (IAPP) is a nonprofit association of privacy professionals--the largest in the world. The IAPP issues the Certified Information Privacy Professional (CIPP) designations, which are the most recognized information privacy certifications globally. The CIPP/US credential demonstrates an understanding of privacy and security concepts, best practices, and international norms, with a specific emphasis on U.S. privacy and information security laws. Applicants are tested to ensure they have the requisite knowledge in the following areas:

I. The U.S. Privacy Environment
A. Structure of U.S. Law
i. Constitutions
ii. Legislation
iii. Regulations and rules
iv. Case law
v. Common law
vi. Contract law
c. Legal definitions
d. Regulatory authorities
i. Federal Trade Commission (FTC)
ii. Federal Communications Commission (FCC)
iii. Department of Commerce (DoC)
iv. Department of Health and Human Services (HHS)
v. Banking regulators
vi. State attorneys general
vii. Self-regulatory programs and trust marks
e. Understanding laws
i. Scope and application
ii. Analyzing a law
iii. Determining jurisdiction
iv. Preemption
B. Enforcement of U.S. Privacy and Security Laws
a. Criminal versus civil liability
b. General theories of legal liability
i. Contract
ii. Tort
iii. Civil enforcement
c. Negligence
d. Unfair and deceptive trade practices (UDTP)
e. Federal enforcement actions
f. State enforcement (Attorneys General (AGs), etc.)
g. Cross-border enforcement issues (Global Privacy Enforcement Network (GPEN))
h. Self-regulatory enforcement (PCI, Trust Marks)
C. Information Management from a U.S. Perspective
a. Data classification
b. Privacy program development
c. Incident response programs
d. Training
e. Accountability
f. Data retention and disposal (FACTA)
g. Vendor management
i. Vendor incidents
h. International data transfers
i. U.S. Safe Harbor
ii. Binding Corporate Rules (BCRs)
i. Other key considerations for U.S.-based global multinational companies
j. Resolving multinational compliance conflicts
i. EU data protection versus e-discovery
II. Limits on Private-sector Collection and Use of Data
A. Cross-sector FTC Privacy Protection
a. The Federal Trade Commission Act
b. FTC Privacy Enforcement Actions
c. FTC Security Enforcement Actions
d. The Children’s Online Privacy Protection Act of 1998 (COPPA)
B. Medical
a. The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
i. HIPAA privacy rule
ii. HIPAA security rule
b. Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009
C. Financial
a. The Fair Credit Reporting Act of 1970 (FCRA)
b. The Fair and Accurate Credit Transactions Act of 2003 (FACTA)
c. The Financial Services Modernization Act of 1999 ("Gramm-Leach-Bliley" or GLBA)
i. GLBA privacy rule
ii. GLBA safeguards rule
d. Red Flags Rule
e. Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010
f. Consumer Financial Protection Bureau
D. Education
a. Family Educational Rights and Privacy Act of 1974 (FERPA)
E. Telecommunications and Marketing
a. Telemarketing sales rule (TSR) and the Telephone Consumer Protection Act of 1991 (TCPA)
i. The Do-Not-Call registry (DNC)
b. Combating the Assault of Non-solicited Pornography and Marketing Act of 2003 (CAN-SPAM)
c. The Junk Fax Prevention Act of 2005 (JFPA)
d. The Wireless Domain Registry
e. Telecommunications Act of 1996 and Customer Proprietary Network Information
f. Video Privacy Protection Act of 1988 (VPPA)
g. Cable Communications Privacy Act of 1984
III. Government and Court Access to Private-sector Information
A. Law Enforcement and Privacy
a. Access to financial data
i. Right to Financial Privacy Act of 1978
ii. The Bank Secrecy Act
b. Access to communications
i. Wiretaps
ii. Electronic Communications Privacy Act (ECPA)
1. E-mails
2. Stored records
3. Pen registers
c. The Communications Assistance to Law Enforcement Act (CALEA)
B. National Security and Privacy
a. Foreign Intelligence Surveillance Act of 1978 (FISA)
i. Wiretaps
ii. E-mails and stored records
iii. National security letters
b. Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA-Patriot Act)
i. Other changes after USA-Patriot Act
C. Civil Litigation and Privacy
a. Compelled disclosure of media information
i. Privacy Protection Act of 1980
b. Electronic discovery
IV. Workplace Privacy
A. Introduction to Workplace Privacy
a. Workplace privacy concepts
i. Human resources management
b. U.S. agencies regulating workplace privacy issues
i. Federal Trade Commission (FTC)
ii. Department of Labor
iii. Equal Employment Opportunity Commission (EEOC)
iv. National Labor Relations Board (NLRB)
v. Occupational Safety and Health Act (OSHA)
vi. Securities and Exchange Commission (SEC)
c. U.S. Anti-discrimination laws
i. The Civil Rights Act of 1964
ii. Americans with Disabilities Act (ADA)
iii. Genetic Information Nondiscrimination Act (GINA)
B. Privacy before, during and after employment
a. Employee background screening
i. Requirements under FCRA
ii. Methods
1. Personality and psychological evaluations
2. Polygraph testing
3. Drug and alcohol testing
4. Social media
b. Employee monitoring
i. Technologies
1. Computer usage (including social media)
2. Location-based services (LBS)
3. Mobile computing
4. E-mail
5. Postal mail
6. Photography
7. Telephony
8. Video
ii. Requirements under the Electronic Communications Privacy Act of 1986 (ECPA)
iii. Unionized worker issues concerning monitoring in the U.S. workplace
c. Investigation of employee misconduct
i. Data handling in misconduct investigations
ii. Use of third parties in investigations
iii. Documenting performance problems
iv. Balancing rights of multiple individuals in a single situation
d. Termination of the employment relationship
i. Transition management
ii. Records retention
iii. References
V. State Privacy Laws
A. Federal vs. state authority
B. Marketing laws
C. Financial Data
a. Credit history
b. California SB-1
D. Data Security Laws
a. SSN
b. Data destruction
E. Data Breach Notification Laws
a. Elements of state data breach notification laws
b. Key differences among states

Why did you decide to get the CIPP/US certification?

More and more people are claiming to be privacy experts these days, including a number of lawyers. Although very few law firms advertised a privacy practice group as of just a few years ago, almost all large law firms do now...with varying degrees of credibility. Some lawyers are holding themselves out as privacy experts when their expertise is limited to a couple of privacy laws and a specific context. They are nonetheless re-branding themselves as "privacy" lawyers. While there certainly are more lawyers who are competent in a range of privacy and information security issues than ever before, they remain few and far between. The CIPP/US certification is perhaps the best way to clearly and immediately demonstrate an understanding of the core concepts and legal issues of privacy and information security.

Does the CIPP/US designation guarantee expertise?

The CIPP/US designation does not guarantee expertise in any particular area of privacy law. The certification tests (there are currently two) do not require the depth of understanding that a true expert must have. For example, the study guides and tests cover financial privacy issues at a level of depth just beyond the surface. There is much more to know about financial privacy law and practice.  Furthermore, there are very accomplished lawyers in these spaces who are not certified by IAPP.   However, the CIPP/US designation does provide assurance that the certificate holder is at least aware of the salient issues and knows where to find answers or guidance, and those two items are very important. Furthermore, certification requires ongoing learning. Mainting IAPP CIPP certification requires the holder to fulfill 20 hours of continuing privacy education (CPE) per two-year period, to ensure the holder's knowlege remains up to date.

The CIPP/US certification is no guarantee of true legal expertise, but it does provide an independent confirmation of basic competence across a broad spectrum of privacy and information security law. It also tells you that the holder is continuing to build upon his or her knowledge in these areas.

* The N.C. State Bar, the regulatory body that supervises and disciplines lawyers licensed in North Carolina, prohibits a lawyer from using the term "specialized" to describe anything other than a N.C. Bar-issued certificate of specalization in one of a very limited number of fields of law.  There is no specalization available from the N.C. State Bar for privacy, information security, or any related field of law.  

June 27, 2015

A New Role with the YLD, the Future of the Legal Profession

Those of you know me well or who read this blog regularly know that I believe in the Young Lawyers Division of the North Carolina Bar Association and the more than 6,400 young lawyers who belong to it.  In the past eight years, I have witnessed young lawyers volunteer to help thousands of people with significant legal needs and do important work to improve the legal profession.  This is a great group of people, and I am immensely honored that they have elected me to lead them.  I will take office as Chair of the YLD in June of 2016.  In the meantime, if you are a service-minded lawyer under 36, or if you have ideas about what the YLD can do to further its missions (service to the public, service to the bar, and leadership training), please let me know

June 15, 2015

Five Simple Steps You Can Take to Protect Your Loved Ones on Elder Abuse Awareness Day

This post is a PSA.  Those of you who know me well (or read this blog regularly) know that I have spent a considerable amount of of time and energy trying to help people prevent elder financial abuse.  The elderly in the United States lose an estimated $2.6 billion annually due to elder financial abuse and exploitation.  Today is the eighth annual Elder Abuse Awareness Day, which seems like an appropriate time to suggest a few simple steps you can take to help protect your loved ones from elder financial abuse.

1.  If his or her bank offers the opportunity (and is in North Carolina), ask your loved one to provide the bank with a list of trusted persons to whom the bank may speak in the case of suspicious activity.  I've written and spoken about this topic frequently, and you can read my comments here, here, here, here and here.

2.  Encourage your loved one to talk to an elder law attorney about naming a trustworthy person as attorney-in-fact to look after your loved one's interests.  Discourage your loved one from granting a power of attorney to anyone who is not 100% trustworthy and competent.

3.  A small number of unscrupulous telemarketers prey on the elderly.  One way to reduce the potential for this kind of abuse it to put your loved one's telephone number(s) on the national Do Not Call registry by filling out the form available here

4.  Social media is not just for young people.  Many older adults have social media accounts these days.  Fraudsters sometimes use information gathered from social media to help them perpetrate frauds, such as spearphishing attacks.  Ask your loved ones to allow you to set privacy settings on their social media accounts so that strangers (and anyone else they shouldn't trust) will not be able to gain access to information that would help in such attacks.

5.  Encourage your loved one to obtain their free annual credit report and help them review the report for evidence of identity theft.  I have written about how to get a free credit report (as well as how to respond to identity theft) here.

Thank you for taking the time to read this post.  I hope this information will help you as you try to protect your loved ones from the growing threat of elder financial exploitation. 

June 2, 2015

Potential Opportunities for Cost Sharing by Community Banks

At the North Carolina Bankers Association's Annual Convention today, Kris Kiefer, Deputy Comptroller at the OCC, and John Henrie, Regional Director of the FDIC, referenced a recent OCC paper regarding bank pooling of resources to obtain better services at lower cost. 

The paper, titled “An Opportunity for Community Banks: Working Together Collaboratively,” describes ways in which community banks might collaborate to lower costs and obtain specialized expertise. The paper outlines how community banks can structure cooperative arrangements, and emphasizes the need for effective oversight of those arrangements.

Community banks can collaborate in several ways, according to the OCC, such as:
  • exchanging information and ideas;
  • jointly purchasing materials or services;
  • sharing back-office or other services;
  • sharing a specialized staff member or team;
  • jointly owning a service organization;
  • participating in disaster mitigation agreements; and
  • jointly providing/developing products and services.
In some cases, community banks will want to form an entity (such as an LLC) to engage in activies. The regulatory issues to be addressed in those situations will be whether the activities are permissible and whether the investment by the banks in the entity are permitted.  The OCC has its own rules and guidance for permissible activies, and has published guidance based on prior decisions.  State chartered banks may generally follow those rules and guidance, despite being regulated by other agencies.  Often the entities will be considered "noncontrolling investments" or "bank service companies," which are different from a regulatory standpoint than the "bank operating subsidiaries" that many banks may be more familiar with.  Often an application will be required.

As with loan participations and syndications, the guidance makes clear that bank collaborations should be documented in a binding agreement that allocates the resposibilities and risks associated with the activity. 

Ideally, collaboration in areas in which it makes sense would enable community banks to achieve better outcomes at lower costs, increase their range of services, and enhance the expertise available to them.


June 1, 2015

TILA-RESPA Integration Will Be Here In Two Months. Are You Ready?

As all mortgage lenders know by now, beginning August 1, the new TILA-RESPA integrated disclosure requirements will become effective for any lender that makes more than five mortgage loans in a calendar year.  With two months to go, now is a good time to make sure your institution is ready.
If you have been paying attention, you know that the rule covers much more than just two new disclosure forms.  This is a complex, substantive change in the law.   In fact, the CFPB has published hundreds and hundreds of pages of rules and guidance.  I am not going to attempt to describe the new rules in detail here. (The final rule alone is 1,888 pages.) Instead, I just want to point out a few things and recommend a checklist for assessing your progress as you prepare for the August 1 deadline.
First, as I am sure you know, the new Loan Estimate form combines two existing forms, the Good Faith Estimate (GFE) and the initial Truth-in-Lending disclosure into one form.  The Loan Estimate must be provided to an applicant (placed in the mail) no later than the third business day after he or she submits a loan application.  
When Is An Application "Complete"?

One thing I want to be sure you understand is that unlike under the current rules, after August 1, a loan application that you might otherwise consider "incomplete" may trigger the Loan Estimate obligation.

The rule defines a loan application as having six of the seven elements that RESPA required: consumer’s name, consumer’s income, consumer’s social security number to obtain a credit report, property address, estimate of the value of the property and mortgage loan amount sought. The definition in the rule does not include RESPA’s seventh, catch-all term “any other information deemed necessary by the loan originator.” So, while you used to be able to deem a loan application incomplete for purposes of RESPA if it lacked some additional information that you deemed necessary, you no longer have that discretion. 
Also be careful about this: An application must be in writing, but any written record of an oral conversation is sufficient to trigger the requirement.

Even if a complete application has not been received, it will be permissible to provide an "early written estimate."  You should, however, include a clear disclaimer on any such estimate.
Revised Disclosures

Sometimes, disclosures need to be revised.  If a revised disclosure is necessary, it must be received by the customer at least four business days prior to closing, which means that it if is mailed, it must be mailed seven business days before closing.
Did You Endorse That Service Provider?

Separate from the Loan Estimate is a required list of settlement services for which the customer can shop. You must identify at least one provider for each service. Do you have a policy for how you will identify these providers for each market area? How many will you list for each category? Are you going to vet them? If not, do you have a disclaimer ready? (Hint: the model form does not have one.)
Collecting Fees

There are also new restrictions on fees that can be collected prior to giving a Loan Estimate and prior to a consumer’s consent to proceed. For example, no fee other than a credit report fee can be collected prior to the Loan Estimate and consumer consent to proceed. 
Pre-Closing Disclosure
As most of you know, the other major document required by the new rules is the Closing Disclosure, which as you know, combines two existing forms, the HUD-1 Settlement Statement and final Truth-in-Lending disclosures, into one form, and must be provided to consumers at least three business days before closing the loan. 
Mistakes are going to happen, but if they are caught in time, they can be corrected.  The rule says you can retroactively cure violations by refunding the excess portion of a cost or fee to the consumer, and delivering corrected disclosures to reflect the refund, within 60 days after closing.  You’ll need to decide if you want to set up a post-consummation review process to ensure that you provide corrected Closing Disclosures to catch these and correct them.  
Additional Disclosures
Beyond the two primary disclosures, there are others to have ready by August 1:
  • the post-consummation escrow cancellation notice (aka "Escrow Closing Notice") 
  • the post-consummation mortgage servicing transfer
  • partial payment notice

Record Retention 
You probably need to update record retention policies as well.  
  • Keep a copy of the Closing Disclosure (and all documents related to the Closing Disclosure) for five years after consummation, even if you sell the loan and the servicing rights.
  • Keep the Post-Consummation Escrow Cancellation Notice (Escrow Closing Notice) and the Post-Consummation Partial Payment Policy disclosure for two years. 
  • For all other evidence of compliance with the Integrated Disclosure provisions of Regulation Z (including the Loan Estimate) maintain records for three years after consummation of the loan.
  • Be sure you know when to use the new forms versus when to continue to use the existing disclosures (GFE, initial and final TIL, and the HUD-1)
    • Specifically, the TILA-RESPA rule does not apply to HELOCs, reverse mortgages or mortgages secured by a mobile home or by a dwelling that is not attached to real property (i.e., land). (§ 1026.19(e) and (f))
    • However, certain types of loans that are currently subject to TILA but not RESPA are subject to the new integrated disclosure requirements, including: construction-only loans, vacant-land loans, and loans secured by 25 acres or more.
  And Many More...
Here are a few things you’ll want to think about, such as the following: 
  • Do you have policies and forms for pre-consummation and post-consummation disclosures? 
  • Also, think about how a consumer will give the required indication of intent to proceed with a loan? Are you going to have a form?
  • How are you going to track the new tolerances?
In addition, I suggest you take a look at the Readiness Questionnaire in Part 2 of the CFPB’s Mortgage Rules Readiness Guide. I encourage you to work through the TILA-RESPA Integration section that begins on page 15 and ends on page 21.  This is not mandatory (and it has not been added to the Exam Manual), but it may be useful to help determine how ready you are and what you need to do next. 

My hope is that each of you reading this article will be buoyed with confidence that you are well-prepared for the August 1 compliance deadline, but if you are not, I hope this article will help you identify the areas that need work in the final days before implementation.


May 30, 2015

The CFPB Wants More Information About Mortgage Loans. Guess Who's Going to Collect It.

As you may know, the Consumer Financial Protection Bureau collects data from mortgage lenders about mortgage loans. It is currently attempting to dramatically expand the scope of information that mortgage lenders are required to provide to it.  
The Home Mortgage Disclosure Act (HMDA, or, as I like to call it, "Hmm Duh") was enacted in 1975 and the Federal Reserve Board was given rulemaking authority (through which it authored Reg. C) until July 21, 2011, when the Dodd-Frank Act transferred that authority to the CFPB. HMDA requires lending institutions to report certain mortgage loan data. The Dodd-Frank Act also directed the CFPB to expand the HMDA dataset to include additional information about loans that would be helpful to better understand aspects of the mortgage market.  
The CFPB proposed changes to the data that mortgage lenders are required to collect and report was proposed in July of last year. (That proposal was 572 pages--svelt by CFPB standards.)  The proposal went well beyond what the Dodd-Frank Act required. The comment period ended in October, and we are now awaiting the final rules. Here's what the proposal entails:
More Loans
Regulation C currently uses a “purpose” test to determine whether a mortgage loan transaction must be reported. Loans made to purchase, refinance, or improve a home are covered. The proposed rule would require that covered lenders report, with some exceptions, all loans secured by dwellings. "Dwelling" isn't limited to primary residence—it includes vacation homes, multi-family, and rentals. home equity lines of credit  (HELOCs), which were not previously always covered unless the use of proceeds related to the home, will always be covered if the proposed rule is adopted.
Higher Reporting Threshold
Currently, Regulation C requires banks to submit HMDA data even if they make only one home loan in a given year; however, the proposal would set a 25 loan threshold. For purposes of counting the threshold, only closed-end loans (including reverse mortgages)--not HELOCs--are counted. 
New Information
The proposed rule would add not only the 17 new data fields called for by Dodd-Frank, but also 20 additional fields that the CFPB believes are necessary to help it monitor the marketplace. 
The new information required by the Dodd-Frank Act includes, for example:
  • the property value; 
  • term of the loan; 
  • total points and fees; 
  • rate spread;
  • the duration of any teaser or introductory interest rates;
  • prepayment penalties;
  • bonamortizing features;
  • loan officer number;
  • the applicant’s or borrower’s age; 
  • credit score;
  • application channel (retail or broker)
The CFPB's additional 20 fields include the following:
  • applicant’s debt-to-income ratio
  • loan-to-value ration (LTV)
  • the automated underwriting system used
  • the reason for denial (currently optional) 
  • Qualified Mortgage (QM) status
  • the interest rate of the loan, and 
  • the total discount points charged for the loan
  • fees 
  • certain property information
  • manufactured housing data
All of this is ostensibly to allow CFPB to see how the mortgage market is functioning, and specifically to determine how the "Ability to Repay" rule is affecting the market. (Although without a "before" data set, how can they know?)

Reporting Timeframe
Mortgage lenders currently report annually by March 1 for the preceding calendar year. Under the proposal, mortgage lenders that make 75,000 or more loans will have to start reporting quarterly. 
Reporting Format and Method

The proposed rule would align many of the HMDA data requirements with the widely used Mortgage Industry Standards Maintenance Organization ("MISMO") data standards, including the Uniform Loan Delivery Dataset ("ULDD") that is already used by the government-sponsored enterprises (GSEs).
The CFPB is considering creating its own web-based HMDA software that mortgage lenders would use to report their data. That sounds like a bad idea to me. (Remember how well the federal government's last big website rollout went?)
Public Disclosure
The CFPB did not state what, if any, of the new data proposed to be collected would be made available to the public. The bureau is still considering this issue.  (If the data is made a available to the public, you can bet that some special advocacy groups will be scrutinizing the data and drawing inferences from it.)

Final Rule Expected This Year.
The CFPB has not announced when the final rule will be published, but most people expect it to be this year. I have seen a prediction for July, but that seems too soon to me. There are too many details around the reporting format and method to expect a final rule this summer, given the CFPB's many other initiatives.

Fair Lending Focus

Aside from the increased burden on mortgage lenders, I predict that the primary consequence of this change will be an increase in enforcement actions against mortgage lenders.  Obviously this new data will enable CFPB and others to evaluate equal credit opportunity issues, and probably will facilitate more disparate impact type claims

May 9, 2015

The CFPB's Consumer Complaint Database Will Soon Include Consumers' Complaint Narratives. Are You Ready?

In case you missed it, the CFPB is trying to become the next Yelp or Angie's List.

The CFPB began accepting complaints from consumers as soon as it opened its doors in 2011—with over half a million currently on file.  In June of 2012, it started publishing a limited amount of data from the complaints on its website. Now, it has decided to give consumers a platform to "publicly share their stories." 

The CFPB's website already allows a consumer to describe his or her complaint in narrative form in a text box on the complaint webpage. The consumer can also attach documents to the complaint. The CFPB forwards the complaint to the company, requests a response, gives the consumer a tracking number, and updates the consumer on the status of the resolution.

In March, the CFPB revised its consumer complaint policy to allow consumers to publish their grievances—in their own words—on the CFPB's website.   Beginning later this month (May 2015), when consumers submit complaints to the CFPB, they will have the option to check a box to share their narrative. The narratives will have names, telephone numbers, account numbers, Social Security numbers, and other identifiers redacted. The CFPB will not, however, verify the truth or accuracy of the facts asserted in the consumer's complaint. 

Banks and other companies will be given the option to select from a limited list of structured response options within 180 days after the consumer complaint is routed to them. The response cannot be customized. Actually, the final policy says that the financial institution can "recommend" one of the pre-set response to the CFPB, but the CFPB reserves the right to reject the response.

Complaints will be listed in the public database only after the financial institution responds to the complaint or after it has had the complaint for 15 days, whichever comes first. The CFPB will publish the consumer complaint narrative when the financial institution provides its public-facing response, or after the financial institution has had the complaint for 60 days, whichever comes first. If, within 15 days of receiving a notice of the complaint, a financial institution tells the CFPB that it has no record of a financial relationship with the complaining person, or if the financial institution tells the CFPB that it believes the complaint is fraudulent, the CFPB is not supposed to publish the complaint.

Despite the fact that this sort of information can become stale and of marginal value over time, the CFPB has determined that complaints will remain on the public database indefinitely.  Furthermore, the final policy fails to address whether complaints will be removed or changed when a financial institution merges or is acquired, or when a division is spun out.

I have written and spoken before about the importance of online reputation management for financial institutions. This development underscores the need for each financial institution to have a comprehensive online reputation management strategy. Aside from behaving honestly and ethically, the best (but not the only) thing a financial institution can do to protect its reputation online is to inundate the web with positive content. While there are some legal concerns to address when a financial institution expands its presence on the web, this strategy is the most effective way to ensure that the overall narrative reflects the financial institution's mission and message.

Image credit: matt cordell using (x-ray delta one)

March 1, 2015

Data Security Breaches, Unauthorized Transfers, and Corporate Accout Takeovers ...What You Missed!

On Friday, I had the honor to join some distinguished speakers for an all-day continuing legal education seminar on computer technology and the law.  My fellow presenters were:
  • Clark Walton, former CIA forensic computer analyst, lawyer with Alexander Ricks, and founder of computer forensic firm Reliance Forensics (and formerly Chair of the NCBA Young Lawyers Division and the American Bar Association's Young Lawyer of the Year).
  • Ashden Fein, lead prosecutor of Private Bradley Manning in the WikiLeaks trial and now lawyer with Covington & Burling in Washington, D.C.
  • Chris Swecker, former Assistant Director of the FBI, lawyer, and security consultant.
  • Kim Korando, employment lawyer with Smith Anderson.
  • Joyce Brafford, law practice technology guru with the NCBA's Center for Practice Management.
It was a fascinating day, and I enjoyed hearing from these great speakers more than I enjoyed speaking myself.  (I was under the weather and quite hoarse.  My apologies to all who had to endure my voice.)

In the course of my presentation, we discussed the various legal response requirements following a data security breach, as well as liability for unauthorized transfers in consumer and commercial accounts. 

The program was well-attended in person and by webinar, but if you missed the opportunity to attend, I am providing a link to my slideshow here.  I hope you find it useful.

February 9, 2015

NC Commissioner of Banks Ray Grace Re-Appointed

Commissioner Ray Grace -photo by M. Cordell
Today, Governor McCrory appointed Ray Grace to serve as North Carolina's Commissioner of Banks for another term.  Although Commissioenr Grace has been "appointed," the process actually works like a nomination; His appointment must be confirmed by each house of the General Assembly. 

After serving in the Marine Corps during the Vietnam War, Grace graduated from college and immediately joined the Office of the Commissioner of Banks as a trainee examiner in 1974. He has served in various roles over the years, and has deep experience in the regulation and supervision of North Carolina financial institutions. 

After former Commissioner Joseph A. Smith, Jr., resigned effective February 16, 2012 to become the nationwide mortgage settlement czar, then-Governor Beverly Purdue appointed Grace, then Deputy Commissioner, to serve as Acting Commissioner. Under the banking statute in effect at the time, Governor Purdue was required to submit the name of a permanent successor to the General Assembly within four weeks. She nominated Ray Grace by the end of the month, and he became Acting Commissioner. However, as I predicted back in February of 2012, the confirmation process took much, much longer.  Governor McCrory re-nominated Acting Commissioner Grace more than a year later, in March of 2013. The Senate approved on May 15, 2013, and the House approved on June 6, 2013.  Commissioner Grace's initial term was the remainder of what would have been Joe Smith's final term, expiring March 31, 2015.  

Under the new banking statute, Governor McCory was required to appoint a Commissioner of Banks by February 1.  Apparently it took a few days for that appointment to be publicly announced.  Assuming he is confirmed by the General Assembly, the Commissioner's term will continue for four years (until March 31, 2019).


January 16, 2015

What Would The White House's Data Security Breach Proposal Mean For North Carolina Businesses?

Earlier this week, the President announced a new cybersecurity initiative. The White House explained that:
"[t]here is a growing perception that individuals have lost control of their personal information; a negative implication of such a view is it may serve as an inhibitor of the use of technology, stymie innovation, and contribute to a less productive economy."
Of course, the President has no legal authority to implement most of his proposals. The Constitution gives Congress the sole power to introduce and pass legislation. The President's role is simply to sign or veto a bill once Congress approves. However, the President's bully pulpit gives him the practical ability to influence Congress' agenda. The primary purpose of the President's current cybersecurity push is to pressure Congress to enact comprehensive cybersecurity legislation.
As of now, the White House has not disclosed all of the text of the proposed bill--only bits and pieces. What we have been told is that the proposal has multiple components. One component that has been described in detail is the breach notification requirement (styled as "The Personal Data Notification & Protection Act"), the full text of which you can read here.

North Carolina and 45 other states already have a data breach notification law. This might suggest that there is no need for a nationwide breach notification rule. Are state breach notification rules inadequate? Is there a compelling need for nationwide uniformity? These are important policy questions. In order to evaluate them, it might be helpful to understand how the White House proposal differs from state laws--particularly the data breach notification requirement found in the North Carolina Identity Theft Protection Act. This blog post will compare the White House proposal to North Carolina's existing breach notification requirement.

Entities Covered. The North Carolina breach notice statute applies to any business in North Carolina or that "owns or licenses" information about North Carolina residents. Under the White House proposal, only businesses that hold sensitive personally identifiable information about more than 10,000 individuals would be covered.

The Reporting Requirement of a Security Breach. The White House proposal would require business entities to give notice of a "security breach" involving "sensitive personally identifiable information." The term "security breach" in the White House proposal would mean a "compromise of the security, confidentiality, or integrity of, or the loss of, computerized data that results in, or there is a reasonable basis to conclude has resulted in...unauthorized acquisition... or access...."

The term is defined slightly differently under North Carolina law. Under our Identity Theft Protection Act, a security breach is "[a]n incident of unauthorized access to and acquisition of unencrypted and unredacted records or data containing personal information where illegal use of the personal information has occurred or is reasonably likely to occur or that creates a material risk of harm to a consumer."

Here's one difference: It would be harder to avoid reporting "low risk" incidents under the White House proposal. There are all sorts of scenarious that might result in unauthorized access, some of which can be relatively innocuous, and probably do not warrant reporting. You can imagine such situations easily. The White House proposal would make it harder to avoid reporting in these situations. Under the North Carolina law, a breach occurs when "illegal" use "has occurred or is reasonably likely to occur" or there is "a material risk of harm to a consumer." Under the White House proposal, there is a breach, and therefore a reporting requirement (at least to the FTC), if there is an "unauthorized acquisition" or " excess of authorization." Under the White House proposal, even if the incident presents a low degree of risk, it must be disclosed to the FTC.

Here's another difference: Under the North Carolina statute, if a hard drive is stolen, but it's encrypted, there is no breach. Under the NC statute, that ends the analysis, and there is no reporting requirement. Under the White House proposal, there is a breach, even if the information was encrypted, and the custodian of the information would then have to undertake a risk assessment to determine if there is a "reasonable risk that a security breach has resulted in, or will result in, harm to the individuals." Encryption might support a presumption that there is no reasonable risk of harm. However, under the White House proposal, the business would be required to self-report to the Federal Trade Commission within 30 days:
  • that it had experienced a breach and conducted a risk assessment,
  • the results of the risk assessment,
  • that it had concluded that there was no reasonable risk to individuals; and
  • logging data (i.e., records of access and changes to a database) for the six months prior and database users' and administrators' log-in information.

Definition of Personal Information. The term "sensitive personally identifiable information" is defined in the White House proposal similarly to the term "personal information" in the North Carolina statute, except that the White House proposal is slightly more broad and would also allow the Federal Trade Commission to create other categories of "sensitive personally identifiable information" by rule. In this way, the White House proposal might be more easily adjusted to changes in technology.

Timing of Notice. The days immediately following discovery of a security breach are difficult for a business, as well as being important to law enforcement. The first priority is almost always to identify and eliminate vulnerabilities. Businesses are reluctant to make public statements before they have obtained and analyzed the facts. Each of these steps may require outside help from forensic computer experts and security experts. It takes time. One of the ways in which the White House proposal differs from the North Carolina statute is the timing of reporting obligations. Under the both the North Carolina statute and the White House proposal, the breached business must notify affected customers "without unreasonable delay." However, under the White House proposal, that means no later than 30 days unless the FTC grants an extension.

Public Notice. In addition to notifying affected individuals, state statutes often require a public announcement, of some sort, of the breach. Under the North Carolina statute, the business must notify statewide media of the breach (and place a notice on its website) only if it chooses not to contact affected individuals directly because the cost of providing notice would exceed $250,000 or the number of affected individuals exceeds 500,000. Under the White House proposal, if more than 5,000 residents of any particular state are affected, the breached business must notify statewide "major media outlets" of the breach.

Under the White House proposal, if more than 5,000 individuals are affected by a breach, the business must notify the credit reporting agencies. Under the North Carolina statute, the threshold for making such a report is 1,000.

Allocation of Responsibility to Provide Notice. Under the North Carolina statute, the reporting obligation falls on the business that "owns or licenses" the personal information. A third party custodian who does not own or license the information must merely notify the owner or licensee of the information (not the affected individuals) in the event of a breach. The North Carolina statute does not address whether the owner/licensor can agree with the custodian that, in the event of a breach, the custodian would be responsible to provide notice to customers.

The White House proposal expressly allows owners/licensees and custodians to enter into a contract that allocates the responsibility to notify affected individuals of a breach; however, the notice must include reference to the party who has a direct business relationship with the affected individuals (i.e., the owner/licensee).

Summary. As you can see, the White House proposal differs from existing North Carolina law in a number of ways. From the perspective of a business that has consumer data, the White House proposal generally seems more burdensome; however, for businesses operating in multiple states, the additional obligations of the White House proposal might be outweighed by the benefits of having a uniform law across jurisdictions. (Responding to a multi-state breach is very challenging because of the variation in state breach response laws.) 

Whether Congress will take up the proposal in earnest, and whether legislation resembling the White House proposal will pass both houses, is anyone's guess, but one thing is clear at this point--the President has initiated a public dialogue on these issues.

January 11, 2015

When Your Identity Has Been Stolen: 10 Steps to Follow

On several occasions, I've been asked to help individuals whose identities have been stolen. However, most of the time, it is not cost-effective for a lawyer to handle the majority of the initial steps in responding to the theft of an individual's identity. Instead, the affected person is usually best advised to handle most of the first steps themselves. [FN1]

As a public service, I'm providing the following step-by-step guide for individuals who suspect that credit has been obtained in their name without their consent. (There are other kinds of identity theft, but this is the most common.) Although the Federal Trade Commission has an a good guide for victims of identity theft, it (i) requires you to read several different webpages instead of just one, and (ii) does not explain the state-law-specific aspects of recovering from identity theft. This is intended to be a simplified guide for North Carolina residents.

1.   Put a Fraud Alert on Your Credit Report. Call any one of the three major credit reporting agencies and instruct them to place a fraud alert on your credit report. (Tell the agency you contact to tell the other two to do the same...although there's no harm in calling all three yourself). You'll be required to prove your identity when placing a fraud alert. There is no cost to you to place a fraud alert. The purpose of an initial fraud alert is to make it harder for an identity thief to open more accounts in your name. An initial fraud alert lasts 90 days, but can be renewed.

You can contact the credit reporting agencies at the following: Equifax - 1-800-525-6285,, P.O. Box 740241, Atlanta, GA 30374-0241; Experian - 1-888-397-3742,, P.O. Box 2104, Allen, TX 75013-0949; TransUnion - 1-800-680-7289,, P.O. Box 1000, Chester, PA 19022.
2.   Order Your Free Credit Reports. When placing a fraud report, you are entitled to a free credit report from each of the three major credit reporting agencies. The agency that you call (as instructed in #1 above) will explain your rights and how you can get a free copy of your credit report. You could also use this form.

3.   Submit an Affidavit to the FTC. Write out a description of how you learned about the suspected identity theft and everything you've learned about it since, in as much detail as you can. Next, you need to put this information into the form of an affidavit (a sworn written statement). The Federal Trade Commission has a helpful tool (called the "FTC Complaint Assistant") to put your information into the proper form, which you can use for free at When finished, submit the affidavit to the FTC through the website. Print or save a copy for your records. (Alternatively, you can use this form.)

4.   File a Police Report. Call the local law enforcement agency (a) where the theft appears to have occurred, or (b) where you live, or (c) both. In North Carolina, this is usually a police department if you live in a city or town, or a county sheriff's department if you live outside a municipality (though there are exceptions to this general rule). File a police report. (Either they will send an officer to you, or will ask you to come to the station.) Give the officer a copy of your FTC Identity Theft Affidavit. Also give the officer a copy of the FTC's official memo to local law enforcement agencies, a copy of which is available here. Ask to be given a copy of the police report once it's ready.
5.   File an FTC ID Theft Report. Together, your FTC Affidavit and the police report comprise an "FTC ID Theft Report." An FTC Report can help you (i) get fraudulent information removed from your credit report; (ii) stop a company from collecting debts that result from identity theft, or from selling the debt to another company for collection, (iii) extend the fraud alert on your credit report; and (iv) get information from companies about any accounts the identity thief opened or misused. Send the ID Theft Report to the credit bureaus and to any organization affected by the ID theft (such as a retailer or credit card company).
Send an ID Theft Report to the credit reporting agencies, and tell them whether you want to extend the fraud alert or initiate a security freeze (see #6 below). In either case, you should notify all three of the credit reporting agencies.

6.   Decide Whether You Want to Extend the Fraud Alert or Institute a Credit Freeze. Next, you need to decide whether to (a) extend the fraud alert or (b) initiate a security freeze.

Once you have created an ID Theft Report (FTC affidavit plus police report), you are entitled under federal law to extend your fraud alert for seven years. When you extend the fraud alert, you can get two free credit reports within 12 months from each of the three major credit reporting bureaus, and they must take your name off marketing lists for prescreened credit offers for five years, unless you ask them to put your name back on the list.

North Carolina residents are entitled by state law to "freeze" their credit reports. When a security freeze is in place, a consumer reporting agency may not release your credit report or information to a third party without your prior express authorization. If you want someone (such as a lender or employer) to be able to review your credit report (for a credit application or background check), you must ask the credit reporting agency to lift the security freeze. You can ask to lift the security freeze temporarily or permanently. (The credit reporting agency is required by NC law to give you a unique PIN or password when you initiate the security freeze to be used by you when requesting a temporary or permanent lift of the freeze.) If you request a lift to the freeze by mail, the agency has three business days to comply, but if you request electronically or by telephone, the agency must comply with the request within 15 minutes, pursuant to NC law. Putting a credit freeze on your credit file does not affect your credit score.

The cost to place and lift a freeze, and how long the freeze lasts, depends upon state law. Here in North Carolina, a freeze lasts as long as you wish, and a consumer reporting agency cannot charge a fee to put a security freeze in place, remove a freeze, or lift a freeze if your request is made electronically. If you request a security freeze by telephone or by mail, a consumer reporting agency can charge up to $3.00 (unless you are 62 or older, or have submitted a police report--see #4 and #5 above).
So, to summarize, a "security freeze" generally stops all access to your credit report unless you lift it, while an "extended fraud alert" permits creditors to get your report as long as they take steps to verify your identity. My general preference is the freeze, because it gives you the most control.
7.   Review Your Credit Reports and Dispute Errors. Carefully review your credit reports for errors. If errors on your credit report are the result of identity theft and you have submitted an Identity Theft Report, you are entitled to tell the credit reporting companies to block the disputed information from appearing on your credit report. Here is a sample letter that may be helpful.
The credit reporting agency will notify the relevant business of any disputed information, after which the business has 30 days to investigate and respond to the credit reporting agency. If the business finds an error, it must notify the credit reporting agency so your credit file can be corrected. If your credit file changes because of the business’ investigation, the credit reporting agency will send you a letter to notify you. The credit reporting agency cannot return the disputed information to your file unless the business says the information is correct. If the credit reporting company puts the information back in your file, it will send you a letter telling you that.
8.   Contact Any Businesses Involved. If you are aware of specific accounts that have been opened in your name without authorization, or existing accounts that have been accessed without your authorization, contact those organizations, even if you have already notified the credit reporting agencies of the problem. Ask to speak to someone in the fraud department. Ask them to reverse any unauthorized charges and to preserve all records for use by law enforcement. You might also want to ask them to simply close the accounts, and open new accounts for you. [Use different access credentials (such as a PIN or password) for the new accounts.] Ask for copies of any documents used by the identity thief. (Here's a sample letter.) Ask for a letter confirming that any fraudulent information has been removed or transactions reversed. Also ask them to stop reporting information relating to the fraud to credit reporting agencies. As soon as you conclude the conversation, memorialize your discussion in a certified letter to the organization. Here is a sample.
9.   Stop Debt Collectors from Contacting You about Fraudulent Debts. If an identity thief opens accounts in your name and doesn’t pay the bills, a debt collector may contact you. To stop debt collectors from contacting you, in addition to the steps described above, you can send them a letter using this form.

10.  Additional Tips:
  • Remember to record the dates you made calls or sent letters.
  • Keep copies of all correspondence in your files.
  • A number of sample letters are available here.
I hope you find this guide helpful. Please feel free to share it with your family, friends, and colleagues. Although I hope you never need it, I encourage you to bookmark this post for quick reference, along with the FTC's ID Theft website and the NC DOJ's website, just in case.


[FN1] When the person whose identity has been stolen either (a) lacks the ability to respond themselves, whether due to a disability, age, or otherwise, or (b) is someone whose time is sufficiently valuable that it makes economic sense for them to hire someone else to remedy the situation, a lawyer/paralegal team may be well-position to handle these matters. Otherwise, it makes sense for the affected person to handle most aspects of resolving a stolen identity, with limited guidance from a knowledgeable lawyer.

IMPORTANT: This blog post is for educational purposes only, and does NOT constitute legal advice. You should consult with your own attorney about your specific situation. This blog post does not create an attorney-client relationship, and it will not be updated to reflect changes in law or practices, so you should refer to other sources to ensure you receive the most accurate, up-to-date information.