(a) With respect to individuals found under this subpart by the Secretary to be subject to a reasonable risk for the potential misuse of any sensitive personal information under this subpart, the Secretary may offer one or more of the following as warranted based on considerations specified in paragraph (b) of this section:

Ask a legal question, get an answer ASAP!
Click here to chat with a lawyer about your rights.

Terms Used In 38 CFR 75.118

  • Credit bureau: An agency that collects individual credit information and sells it for a fee to creditors so they can make a decision on granting loans. Typical clients include banks, mortgage lenders, credit card companies, and other financing companies. (Also commonly referred to as consumer-reporting agency or credit-reporting agency.) Source: OCC
  • Fair Credit Reporting Act: A federal law, established in 1971 and revised in 1997, that gives consumers the right to see their credit records and correct any mistakes. Source: OCC
  • Fraud: Intentional deception resulting in injury to another.

(1) One year of credit monitoring services consisting of automatic daily monitoring of at least 3 relevant credit bureau reports;

(2) Data breach analysis;

(3) Fraud resolution services, including writing dispute letters, initiating fraud alerts and credit freezes, to assist affected individuals to bring matters to resolution; and/or

(4) One year of identity theft insurance with $20,000.00 coverage at $0 deductible.

(b) Consistent with the requirements of the Fair Credit Reporting Act (15 U.S.C. § 1681 et seq.) as interpreted and applied by the Federal Trade Commission, the notice to the individual offering other credit protection services will explain how the individual may obtain the services, including the information required to be submitted by the individual to obtain the services, and the time period within which the individual must act to take advantage of the credit protection services offered.

(c) In determining whether any or all of the credit protection services specified in paragraph (a) of this section will be offered to individuals subject to a data breach, the Secretary will consider the following:

(1) The data elements involved;

(2) The number of individuals affected or potentially affected;

(3) The likelihood the sensitive personal information will be or has been made accessible to and usable by unauthorized persons;

(4) The risk of potential harm to the affected individuals; and

(5) The ability to mitigate the risk of harm.

(c) The Secretary will take action to obtain data mining and data breach analyses services, as appropriate, to obtain information relevant for making determinations under this subpart.

(Authority: 38 U.S.C. § 501, 5724, 5727)